Cisco Security Appliance Command Line Configuration Guide For the Cisco PIX 500 Series Software Version 7.0 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C O N T E N T S About This Guide xxi Document Objectives xxi Audience xxi Related Documentation xxii Document Organization xxii Document Conventions xxiv Obtaining Documentation xxv Cisco.
Contents CHAPTER 2 Getting Started 2-1 Accessing the Command-Line Interface 2-1 Setting Transparent or Routed Firewall Mode 2-2 Working with the Configuration 2-3 Saving Configuration Changes 2-3 Viewing the Configuration 2-3 Clearing and Removing Configuration Settings Creating Text Configuration Files Offline 2-4 CHAPTER 3 Enabling Multiple Context Mode 2-4 3-1 Security Context Overview 3-1 Common Uses for Security Contexts 3-2 Unsupported Features 3-2 Context Configuration Files 3-2 How th
Contents Monitoring Security Contexts 5-8 Viewing Context Information 5-8 Viewing Resource Usage 5-9 CHAPTER 6 Configuring Interface Parameters Security Level Overview 6-1 6-1 Configuring the Interface 6-2 Allowing Communication Between Interfaces on the Same Security Level CHAPTER 7 Configuring Basic Settings 7-1 Changing the Enable Password Setting the Hostname 7-1 7-2 Setting the Domain Name 7-2 Setting the Date and Time 7-2 Setting the Time Zone and Daylight Saving Time Date Range Set
Contents Monitoring OSPF 8-15 Restarting the OSPF Process 8-15 Configuring RIP 8-16 RIP Overview 8-16 Enabling RIP 8-16 Configuring Multicast Routing 8-17 Multicast Routing Overview 8-17 Enabling Multicast Routing 8-18 Configuring IGMP Features 8-18 Disabling IGMP on an Interface 8-19 Configuring Group Membership 8-19 Configuring a Statically Joined Group 8-19 Controlling Access to Multicast Groups 8-19 Limiting the Number of IGMP States on an Interface 8-20 Modifying the Query Interval and Query Timeout
Contents Verifying the IPv6 Configuration 9-5 The show ipv6 interface Command 9-5 The show ipv6 route Command 9-6 Configuring a Dual IP Stack on an Interface IPv6 Configuration Example CHAPTER 10 9-6 9-7 Configuring AAA Servers and the Local Database 10-1 AAA Overview 10-1 About Authentication 10-2 About Authorization 10-2 About Accounting 10-2 AAA Server and Local Database Support 10-3 Summary of Support 10-3 RADIUS Server Support 10-4 Authentication Methods 10-4 Attribute Support 10-4 RADIUS Funct
Contents The Failover and State Links 11-3 Failover Link 11-3 State Link 11-4 Active/Active and Active/Standby Failover 11-5 Active/Standby Failover 11-5 Active/Active Failover 11-9 Determining Which Type of Failover to Use 11-12 Regular and Stateful Failover 11-13 Regular Failover 11-13 Stateful Failover 11-13 Failover Health Monitoring 11-14 Unit Health Monitoring 11-14 Interface Monitoring 11-14 Configuring Failover 11-15 Configuring Active/Standby Failover 11-15 Prerequisites 11-16 Configuring Cable-Ba
Contents Failover Configuration Examples 11-44 Cable-Based Active/Standby Failover Example 11-45 LAN-Based Active/Standby Failover Example 11-46 LAN-Based Active/Active Failover Example 11-48 PART Configuring the Firewall 2 CHAPTER 12 Firewall Mode Overview 12-1 Routed Mode Overview 12-1 IP Routing Support 12-2 Network Address Translation 12-2 How Data Moves Through the Security Appliance in Routed Firewall Mode An Inside User Visits a Web Server 12-4 An Outside User Visits a Web Server on the DMZ
Contents Access List Guidelines 13-6 Access Control Entry Order 13-6 Access Control Implicit Deny 13-7 IP Addresses Used for Access Lists When You Use NAT Adding an Extended Access List Adding an EtherType Access List Adding a Standard Access List 13-7 13-9 13-11 13-13 Simplifying Access Lists with Object Grouping 13-13 How Object Grouping Works 13-13 Adding Object Groups 13-14 Adding a Protocol Object Group 13-14 Adding a Network Object Group 13-15 Adding a Service Object Group 13-15 Adding an ICMP Typ
Contents Mapped Address Guidelines DNS and NAT 14-14 Configuring NAT Control 14-13 14-15 Using Dynamic NAT and PAT 14-16 Dynamic NAT and PAT Implementation 14-16 Configuring Dynamic NAT or PAT 14-22 Using Static NAT 14-25 Using Static PAT 14-26 Bypassing NAT 14-29 Configuring Identity NAT 14-29 Configuring Static Identity NAT 14-30 Configuring NAT Exemption 14-31 NAT Examples 14-32 Overlapping Networks 14-33 Redirecting Ports 14-34 CHAPTER 15 Permitting or Denying Network Access 15-1 Inbound an
Contents CHAPTER 17 Applying Filtering Services Filtering Overview 17-1 17-1 Filtering ActiveX Objects 17-2 Overview 17-2 Enabling ActiveX Filtering 17-2 Filtering Java Applets 17-3 Overview 17-3 Enabling Java Applet Filtering 17-3 Filtering with an External Server 17-4 Filtering Overview 17-4 General Procedure 17-5 Identifying the Filtering Server 17-5 Buffering the Content Server Response Caching Server Addresses 17-7 17-6 Filtering HTTP URLs 17-7 Configuring HTTP Filtering 17-7 Enabling Filteri
Contents Classification Policy within a Policy Map 18-7 Multi-match Classification Policy across Multiple Feature Domains First-match Policy within a Feature Domain 18-8 Action Order 18-9 Advanced Options 18-10 Applying a Policy to an Interface Using a Service Policy 18-7 18-10 Direction Policies When Applying a Service Policy 18-10 Types of Direction Policies 18-11 Implicit Direction Policies 18-11 Examples 18-11 Match Port/Interface Policy Example 18-11 Match Access List/Interface Policy Example 18-12
Contents Applying Low Latency Queueing 20-9 Configuring Priority Queuing 20-10 Sizing the Priority Queue 20-10 Reducing Queue Latency 20-10 Viewing QoS Statistics 20-11 Viewing the Priority-Queue Configuration for an Interface CHAPTER 21 Applying Application Layer Protocol Inspection 20-12 21-1 Application Inspection Engines 21-1 Overview 21-2 How Inspection Engines Work 21-2 Supported Protocols 21-3 Applying Application Inspection to Selected Traffic 21-5 Overview 21-5 Identifying Traffic with a T
Contents Verifying and Monitoring H.323 Inspection 21-28 Monitoring H.225 Sessions 21-28 Monitoring H.245 Sessions 21-29 Monitoring H.
Contents CHAPTER 22 Configuring ARP Inspection and Bridging Parameters 22-1 Configuring ARP Inspection 22-1 ARP Inspection Overview 22-1 Adding a Static ARP Entry 22-2 Enabling ARP Inspection 22-2 Customizing the MAC Address Table 22-3 MAC Address Table Overview 22-3 Adding a Static MAC Address 22-3 Setting the MAC Address Timeout 22-3 Disabling MAC Address Learning 22-4 Viewing the MAC Address Table 22-4 PART Configuring VPN 3 CHAPTER 23 Configuring IPSec and ISAKMP Tunneling Overview IPSec Over
Contents Using Dynamic Crypto Maps 23-18 Providing Site-to-Site Redundancy 23-20 Viewing an IPSec Configuration 23-20 Clearing Security Associations 23-20 Clearing Crypto Map Configurations CHAPTER 24 Setting General VPN Parameters 23-21 24-1 Configuring VPNs in Single, Routed Mode Configuring IPSec to Bypass ACLs Permitting Intra-Interface Traffic 24-1 24-1 24-2 Setting Maximum Active IPSec VPN Sessions Configuring Client Update CHAPTER 25 24-2 24-2 Configuring Tunnel Groups, Group Policie
Contents CHAPTER 26 Configuring IP Addresses for VPNs 26-1 Configuring an IP Address Assignment Method Configuring Local IP Address Pools 26-2 Configuring AAA Addressing 26-2 Configuring DHCP Addressing 26-3 CHAPTER 27 Configuring Remote Access VPNs Summary of the Configuration Configuring Interfaces 26-1 27-1 27-1 27-2 Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface Configuring an Address Pool Adding a User 27-3 27-4 27-4 Creating a Transform Set 27-4 Defining a Tu
Contents Certificate Configuration 30-4 Preparing for Certificates 30-4 Configuring Key Pairs 30-5 Generating Key Pairs 30-5 Removing Key Pairs 30-6 Configuring Trustpoints 30-6 Obtaining Certificates 30-8 Obtaining Certificates with SCEP 30-8 Obtaining Certificates Manually 30-10 Configuring CRLs for a Trustpoint 30-12 Exporting and Importing Trustpoints 30-14 Exporting a Trustpoint Configuration 30-14 Importing a Trustpoint Configuration 30-14 Configuring CA Certificate Map Rules 30-15 PART System Admi
Contents CHAPTER 31 Managing Software, Licenses, and Configurations 32-1 Managing Licenses 32-1 Obtaining an Activation Key 32-1 Entering a New Activation Key 32-2 Installing Application or ASDM Software 32-2 Installation Overview 32-2 Viewing Files in Flash Memory 32-2 Installing Application or ASDM Software to the Flash Memory Downloading and Backing Up Configuration Files 32-4 Downloading a Text Configuration 32-4 Backing Up the Configuration 32-6 Copying the Configuration to a Server 32-6 Copying t
Contents APPENDIX A Feature Licenses and Specifications Supported Platforms A-1 A-1 Platform Feature Licenses A-1 VPN Specifications A-4 Cisco VPN Client Support A-4 Site-to-Site VPN Compatibility A-4 Cryptographic Standards A-5 APPENDIX B Sample Configurations B-1 Example 1: Multiple Mode Firewall With Outside Access Example 1: System Configuration B-2 Example 1: Admin Context Configuration B-3 Example 1: Customer A Context Configuration B-4 Example 1: Customer B Context Configuration B-4 Exam
Contents Command Output Paging Adding Comments C-5 C-5 Text Configuration Files C-6 How Commands Correspond with Lines in the Text File C-6 Command-Specific Configuration Mode Commands C-6 Automatic Text Entries C-6 Line Order C-7 Commands Not Included in the Text Configuration C-7 Passwords C-7 Multiple Security Context Files C-7 APPENDIX D Addresses, Protocols, and Ports D-1 IPv4 Addresses and Subnet Masks D-1 Classes D-2 Private Networks D-2 Subnet Masks D-2 Determining the Subnet Mask D-3 Deter
About This Guide This preface introduce the Cisco Security Appliance Command Line Configuration Guide, and includes the following sections: • Document Objectives, page xxi • Obtaining Documentation, page xxv • Documentation Feedback, page xxv • Obtaining Technical Assistance, page xxvi • Obtaining Additional Publications and Information, page xxvii Document Objectives The purpose of this guide is to help you configure the security appliance using the command-line interface.
About This Guide Document Objectives Related Documentation For more information, refer to the following documentation: • Cisco PIX Security Appliance Release Notes • Cisco ASDM Release Notes • Cisco PIX 515E Quick Start Guide • Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.
About This Guide Document Objectives Table 1 Document Organization (continued) Chapter/Appendix Definition Part 2: Configuring the Firewall Chapter 12, “Firewall Mode Overview” Describes in detail the two operation modes of the security appliance, routed and transparent mode, and how data is handled differently with each mode. Chapter 13, “Identifying Traffic with Access Lists” Describes how to identify traffic with access lists.
About This Guide Document Objectives Table 1 Document Organization (continued) Chapter/Appendix Definition Chapter 29, “Configuring Certificates” Describes how to configure a digital certificates, which contains information that identifies a user or device. Such information can include a name, serial number, company, department, or IP address. A digital certificate also contains a copy of the public key for the user or device.
About This Guide Obtaining Documentation Obtaining Documentation Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems. Cisco.com You can access the most current Cisco documentation at this URL: http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL: http://www.cisco.
About This Guide Obtaining Technical Assistance Obtaining Technical Assistance For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support.
About This Guide Obtaining Additional Publications and Information Definitions of Service Request Severity To ensure that all service requests are reported in a standard format, Cisco has established severity definitions. Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
About This Guide Obtaining Additional Publications and Information • Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL: http://www.cisco.com/ipj • World-class networking training is available from Cisco. You can view current offerings at this URL: http://www.cisco.com/en/US/learning/index.
P A R T 1 Getting Started and General Information
C H A P T E R 1 Introduction to the Security Appliance The security appliance combines advanced stateful firewall and VPN concentrator functionality in one device. The security appliance includes many advanced features, such as multiple security contexts (similar to virtualized firewalls), transparent (Layer 2) firewall or routed (Layer 3) firewall operation, advanced inspection engines, IPSec support, and many more features.
Chapter 1 Introduction to the Security Appliance Firewall Functional Overview This section includes the following topics: • Security Policy Overview, page 1-2 • Firewall Mode Overview, page 1-3 • Stateful Inspection Overview, page 1-4 Security Policy Overview A security policy determines which traffic is allowed to pass through the firewall to access another network.
Chapter 1 Introduction to the Security Appliance Firewall Functional Overview Applying HTTP, HTTPS, or FTP Filtering Although you can use access lists to prevent outbound access to specific websites or FTP servers, configuring and managing web usage this way is not practical because of the size and dynamic nature of the Internet.
Chapter 1 Introduction to the Security Appliance Firewall Functional Overview Stateful Inspection Overview All traffic that goes through the security appliance is inspected using the Adaptive Security Algorithm and either allowed through or dropped. A simple packet filter can check for the correct source address, destination address, and ports, but it does not check that the packet sequence or flags are correct. A filter also checks every packet against the filter, which can be a slow process.
Chapter 1 Introduction to the Security Appliance VPN Functional Overview VPN Functional Overview A VPN is a secure connection across a TCP/IP network (such as the Internet) that appears as a private connection. This secure connection is called a tunnel. The security appliance uses tunneling protocols to negotiate security parameters, create and manage tunnels, encapsulate packets, transmit or receive them through the tunnel, and unencapsulate them.
Chapter 1 Introduction to the Security Appliance Security Context Overview Cisco Security Appliance Command Line Configuration Guide 1-6 OL-6721-01
C H A P T E R 2 Getting Started This chapter describes how to access the command-line interface, configure the firewall mode, and work with the configuration. This chapter includes the following sections: • Accessing the Command-Line Interface, page 2-1 • Setting Transparent or Routed Firewall Mode, page 2-2 • Working with the Configuration, page 2-3 Accessing the Command-Line Interface For initial configuration, access the command-line interface directly from the console port.
Chapter 2 Getting Started Setting Transparent or Routed Firewall Mode Step 3 To access privileged EXEC mode, enter the following command: hostname> enable The following prompt appears: Password: Step 4 Enter the enable password at the prompt. By default, the password is blank, and you can press the Enter key to continue. See the “Changing the Enable Password” section on page 7-1 to change the enable password.
Chapter 2 Getting Started Working with the Configuration Working with the Configuration This section describes how to work with the configuration. The security appliance loads the configuration from a text file, called the startup configuration. This file resides by default as a hidden file in internal Flash memory. You can, however, specify a different path for the startup configuration. (For more information, see Chapter 31, “Managing Software, Licenses, and Configurations.
Chapter 2 Getting Started Working with the Configuration Clearing and Removing Configuration Settings To erase settings, enter one of the following commands. • To clear all the configuration for a specified command, enter the following command: hostname(config)# clear configure configurationcommand [level2configurationcommand] This command clears all the current configuration for the specified configuration command.
Chapter 2 Getting Started Working with the Configuration In the text configuration file you are not prompted to enter commands, so the prompt is omitted as follows: context a For additional information about formatting the file, see Appendix C, “Using the Command-Line Interface.
Chapter 2 Getting Started Working with the Configuration Cisco Security Appliance Command Line Configuration Guide 2-6 OL-6721-01
C H A P T E R 3 Enabling Multiple Context Mode This chapter describes how to use security contexts and enable multiple context mode. This chapter includes the following sections: • Security Context Overview, page 3-1 • Enabling or Disabling Multiple Context Mode, page 3-10 Security Context Overview You can partition a single security appliance into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators.
Chapter 3 Enabling Multiple Context Mode Security Context Overview Common Uses for Security Contexts You might want to use multiple security contexts in the following situations: • You are a service provider and want to sell security services to many customers. By enabling multiple security contexts on the security appliance, you can implement a cost-effective, space-saving solution that keeps all customer traffic separate and secure, and also eases configuration.
Chapter 3 Enabling Multiple Context Mode Security Context Overview How the Security Appliance Classifies Packets Each packet that enters the security appliance must be classified, so that the security appliance can determine to which context to send a packet. The classifier uses the following rules to assign the packet to a context: 1. If only one context is associated with the ingress interface, the security appliance classifies the packet into that context.
Chapter 3 Enabling Multiple Context Mode Security Context Overview Figure 3-1 shows multiple contexts sharing an outside interface, while the inside interfaces are unique, allowing overlapping IP addresses. The classifier assigns the packet to Context B because Context B includes the address translation that matches the destination address. Figure 3-1 Packet Classification with a Shared Interface Internet Packet Destination: 209.165.201.3 GE 0/0.
Chapter 3 Enabling Multiple Context Mode Security Context Overview Note that all new incoming traffic must be classified, even from inside networks. Figure 3-2 shows a host on the Context B inside network accessing the Internet. The classifier assigns the packet to Context B because the ingress interface is Gigabit Ethernet 0/1.3, which is assigned to Context B. Figure 3-2 Incoming Traffic from Inside Networks Internet GE 0/0.1 Admin Context Context A Context B Classifier GE 0/1.1 GE 0/1.
Chapter 3 Enabling Multiple Context Mode Security Context Overview For transparent firewalls, you must use unique interfaces. For the classifier, the lack of NAT support in transparent mode leaves unique interfaces as the only means of classification. Figure 3-3 shows a host on the Context B inside network accessing the Internet. The classifier assigns the packet to Context B because the ingress interface is Gigabit Ethernet 1/0.3, which is assigned to Context B.
Chapter 3 Enabling Multiple Context Mode Security Context Overview Shared Interface Guidelines If you want to allow traffic from a shared interface through the security appliance, then you must translate the destination addresses of the traffic. In other words, you must have a global command associated with the shared interface or a static command that specifies the shared interface as the global interface.
Chapter 3 Enabling Multiple Context Mode Security Context Overview Figure 3-4 shows two servers on an inside shared interface. One server sends a packet to the translated address of a web server, and the security appliance classifies the packet to go through Context C because it includes a static translation for the address. The other server sends the packet to the real untranslated address, and the packet is dropped because the security appliance cannot classify it.
Chapter 3 Enabling Multiple Context Mode Security Context Overview Cascading Security Contexts Because of the limitation for originating traffic on a shared interface, a scenario where you place one context behind another requires that you configure static statements in the top context for every single outside address that bottom context users want to access. Figure 3-5 shows a user in the bottom context (Context A) trying to access www.example.com.
Chapter 3 Enabling Multiple Context Mode Enabling or Disabling Multiple Context Mode Logging into the Security Appliance in Multiple Context Mode When you access the security appliance console, you access the system execution space. If you later configure Telnet or SSH access to a context, you can log in to a specific context. If you log in to a specific context, you can only access the configuration for that context.
Chapter 3 Enabling Multiple Context Mode Enabling or Disabling Multiple Context Mode Restoring Single Context Mode If you convert from multiple mode to single mode, you might want to first copy a full startup configuration (if available) to the security appliance; the system configuration inherited from multiple mode is not a complete functioning configuration for a single mode device.
Chapter 3 Enabling Multiple Context Mode Enabling or Disabling Multiple Context Mode Cisco Security Appliance Command Line Configuration Guide 3-12 OL-6721-01
C H A P T E R 4 Configuring Ethernet Settings and Subinterfaces This chapter describes how to configure Ethernet settings for physical interfaces and add subinterfaces. In single context mode, complete the procedures in this chapter and then continue your interface configuration in Chapter 6, “Configuring Interface Parameters.
Chapter 4 Configuring Ethernet Settings and Subinterfaces Configuring Subinterfaces The auto setting is the default for copper interfaces. For fiber Gigabit Ethernet interfaces, the default is no speed nonegotiate, which sets the speed to 1000 Mbps and enables link negotiation for flow-control parameters and remote fault information. The speed nonegotiate command disables link negotiation. These two commands are the only available options for fiber interfaces.
Chapter 4 Configuring Ethernet Settings and Subinterfaces Configuring Subinterfaces To add a subinterface and assign a VLAN to it, perform the following steps: Step 1 To specify the new subinterface, enter the following command: hostname(config)# interface physical_interface.subinterface See the “Configuring Ethernet Settings” section for a description of the physical interface ID. The subinterface ID is an integer between 1 and 4294967293.
Chapter 4 Configuring Ethernet Settings and Subinterfaces Configuring Subinterfaces Cisco Security Appliance Command Line Configuration Guide 4-4 OL-6721-01
C H A P T E R 5 Adding and Managing Security Contexts This chapter describes how to configure multiple security contexts on the security appliance, and includes the following sections: • Configuring a Security Context, page 5-1 • Removing a Security Context, page 5-5 • Changing the Admin Context, page 5-5 • Changing Between Contexts and the System Execution Space, page 5-5 • Changing the Security Context URL, page 5-6 • Reloading a Security Context, page 5-7 • Monitoring Security Contexts, pa
Chapter 5 Adding and Managing Security Contexts Configuring a Security Context To add or change a context in the system configuration, perform the following steps: Step 1 To add or modify a context, enter the following command in the system execution space: hostname(config)# context name The name is a string up to 32 characters long. This name is case sensitive, so you can have two contexts named “customerA” and “CustomerA,” for example.
Chapter 5 Adding and Managing Security Contexts Configuring a Security Context If you specify a range of subinterfaces, you can specify a matching range of mapped names. Follow these guidelines for ranges: • The mapped name must consist of an alphabetic portion followed by a numeric portion. The alphabetic portion of the mapped name must match for both ends of the range. For example, enter the following range: int0-int10 If you enter gigabitethernet1.1-gigabitethernet1.
Chapter 5 Adding and Managing Security Contexts Configuring a Security Context Specify the interface name if you want to override the route to the server address. The filename does not require a file extension, although we recommend using “.cfg”. The admin context file must be stored on the internal Flash memory. If you download a context configuration from an HTTP or HTTPS server, you cannot save changes back to these servers using the copy running-config startup-config command.
Chapter 5 Adding and Managing Security Contexts Removing a Security Context Removing a Security Context You can only remove a context by editing the system configuration. You cannot remove the current admin context, unless you remove all contexts using the clear context command. Note If you use failover, there is a delay between when you remove the context on the active unit and when the context is removed on the standby unit.
Chapter 5 Adding and Managing Security Contexts Changing the Security Context URL To change between the system execution space and a context, or between contexts, see the following commands: • To change to a context, enter the following command: hostname# changeto context name The prompt changes to the following: hostname/name# • To change to the system execution space, enter the following command: hostname/admin# changeto system The prompt changes to the following: hostname# Changing the Security
Chapter 5 Adding and Managing Security Contexts Reloading a Security Context Reloading a Security Context You can reload the context in two ways: • Clear the running configuration and then import the startup configuration. This action clears most attributes associated with the context, such as connections and NAT tables. • Remove the context from the system configuration. This action clears additional attributes, such as memory allocation, which might be useful for troubleshooting.
Chapter 5 Adding and Managing Security Contexts Monitoring Security Contexts Monitoring Security Contexts This section describes how to view and monitor context information, and includes the following topics: • Viewing Context Information, page 5-8 • Viewing Resource Usage, page 5-9 Viewing Context Information From the system execution space, you can view a list of contexts including the name, allocated interfaces, and configuration file URL.
Chapter 5 Adding and Managing Security Contexts Monitoring Security Contexts Real Interfaces: GigabitEthernet0.10, GigabitEthernet1.20, GigabitEthernet2.30 Mapped Interfaces: int1, int2, int3 Flags: 0x00000011, ID: 2 Context "system", is a system resource Config URL: startup-config Real Interfaces: Mapped Interfaces: GigabitEthernet0, GigabitEthernet0.10, GigabitEthernet1, GigabitEthernet1.10, GigabitEthernet1.20, GigabitEthernet2, GigabitEthernet2.
Chapter 5 Adding and Managing Security Contexts Monitoring Security Contexts The counter counter_name is one of the following keywords: • current—Shows the active concurrent instances or the current rate of the resource. • peak—Shows the peak concurrent instances, or the peak rate of the resource since the statistics were last cleared, either using the clear resource usage command or because the device rebooted. • all—(Default) Shows all statistics.
C H A P T E R 6 Configuring Interface Parameters This chapter describes how to configure each interface and subinterface for a name, security, level, and IP address. For single context mode, the procedures in this chapter continue the interface configuration started in Chapter 4, “Configuring Ethernet Settings and Subinterfaces.
Chapter 6 Configuring Interface Parameters Configuring the Interface • NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security interface (inside) when they access hosts on a lower security interface (outside). Without NAT control, or for same security interfaces, you can choose to use NAT between any interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword.
Chapter 6 Configuring Interface Parameters Configuring the Interface The physical interface types include the following: • ethernet • gigabitethernet For the PIX 500 series security appliance, enter the type followed by the port number, for example, ethernet0. Append the subinterface ID to the physical interface ID separated by a period (.). In multiple context mode, enter the mapped name if one was assigned using the allocate-interface command.
Chapter 6 Configuring Interface Parameters Allowing Communication Between Interfaces on the Same Security Level To disable the interface, enter the shutdown command. If you enter the shutdown command for a physical interface, you also shut down all subinterfaces. If you shut down an interface in the system execution space, then that interface is shut down in all contexts that share it, even though the context configurations show the interface as enabled.
Chapter 6 Configuring Interface Parameters Allowing Communication Between Interfaces on the Same Security Level Note If you enable NAT control, you do not need to configure NAT between same security level interfaces. If you enable same security interface communication, you can still configure interfaces at different security levels as usual.
Chapter 6 Configuring Interface Parameters Allowing Communication Between Interfaces on the Same Security Level Cisco Security Appliance Command Line Configuration Guide 6-6 OL-6721-01
C H A P T E R 7 Configuring Basic Settings This chapter describes how to configure basic settings on your security appliance that are typically required for a functioning configuration.
Chapter 7 Configuring Basic Settings Setting the Hostname Setting the Hostname When you set a hostname for the security appliance, that name appears in the command line prompt. If you establish sessions to multiple devices, the hostname helps you keep track of where you enter commands. The default hostname depends on your platform. For multiple context mode, the hostname that you set in the system execution space appears in the command line prompt for all contexts.
Chapter 7 Configuring Basic Settings Setting the Date and Time Setting the Time Zone and Daylight Saving Time Date Range By default, the time zone is UTC and the daylight saving time date range is from 2:00 a.m. on the first Sunday in April to 2:00 a.m. on the last Sunday in October.
Chapter 7 Configuring Basic Settings Setting the Date and Time The offset value sets the number of minutes to change the time for daylight saving time. By default, the value is 60 minutes. Setting the Date and Time Using an NTP Server To obtain the date and time from an NTP server, perform the following steps: Step 1 To configure authentication with an NTP server, perform the following steps: a. To enable authentication, enter the following command: hostname(config)# ntp authenticate b.
Chapter 7 Configuring Basic Settings Setting the Management IP Address for a Transparent Firewall The day value sets the day of the month, from 1 to 31. You can enter the day and month as april 1 or as 1 april, for example, depending on your standard date format. The month value sets the month. Depending on your standard date format, you can enter the day and month as april 1 or as 1 april. The year value sets the year using four digits, for example, 2004. The year range is 1993 to 2035.
Chapter 7 Configuring Basic Settings Setting the Management IP Address for a Transparent Firewall Cisco Security Appliance Command Line Configuration Guide 7-6 OL-6721-01
C H A P T E R 8 Configuring IP Routing and DHCP Services This chapter describes how to configure IP routing and DHCP on the security appliance. This chapter includes the following sections: • Configuring Static and Default Routes, page 8-1 • Configuring OSPF, page 8-3 • Configuring RIP, page 8-16 • Configuring Multicast Routing, page 8-17 • Configuring DHCP, page 8-24 Configuring Static and Default Routes This section describes how to configure static routes on the security appliance.
Chapter 8 Configuring IP Routing and DHCP Services Configuring Static and Default Routes This section includes the following topics: • Configuring a Static Route, page 8-2 • Configuring a Default Route, page 8-3 For information about configuring IPv6 static and default routes, see the “Configuring IPv6 Default and Static Routes” section on page 9-3.
Chapter 8 Configuring IP Routing and DHCP Services Configuring OSPF Configuring a Default Route A default route identifies the gateway IP address to which the security appliance sends all IP packets for which it does not have a learned or static route. A default route is simply a static route with 0.0.0.0/0 as the destination IP address. Routes that identify a specific destination take precedence over the default route. You can define up to three equal cost default route entries per device.
Chapter 8 Configuring IP Routing and DHCP Services Configuring OSPF • Configuring Route Summarization When Redistributing Routes into OSPF, page 8-12 • Generating a Default Route, page 8-13 • Configuring Route Calculation Timers, page 8-13 • Logging Neighbors Going Up or Down, page 8-14 • Displaying OSPF Update Packet Pacing, page 8-14 • Monitoring OSPF, page 8-15 • Restarting the OSPF Process, page 8-15 OSPF Overview OSPF uses a link-state algorithm to build and calculate the shortest path
Chapter 8 Configuring IP Routing and DHCP Services Configuring OSPF Enabling OSPF To enable OSPF, you need to create an OSPF routing process, specify the range of IP addresses associated with the routing process, then assign area IDs associated with that range of IP addresses. Note You cannot enable OSPF if RIP is enabled.
Chapter 8 Configuring IP Routing and DHCP Services Configuring OSPF Adding a Route Map To define a route map, perform the following steps: Step 1 To create a route map entry, enter the following command: hostname(config)# route-map name {permit | deny} [sequence_number] Route map entries are read in order. You can identify the order using the sequence_number option, or the security appliance uses the order in which you add the entries.
Chapter 8 Configuring IP Routing and DHCP Services Configuring OSPF The following example shows how to redistribute routes with a hop count equal to 1. The security appliance redistributes these routes as external LSAs with a metric of 5, metric type of Type 1, and a tag equal to 1.
Chapter 8 Configuring IP Routing and DHCP Services Configuring OSPF Configuring OSPF Interface Parameters You can alter some interface-specific OSPF parameters as necessary. You are not required to alter any of these parameters, but the following interface parameters must be consistent across all routers in an attached network: ospf hello-interval, ospf dead-interval, and ospf authentication-key.
Chapter 8 Configuring IP Routing and DHCP Services Configuring OSPF Usually, one key per interface is used to generate authentication information when sending packets and to authenticate incoming packets. The same key identifier on the neighbor router must have the same key value. We recommend that you not keep more than one key per interface. Every time you add a new key, you should remove the old key to prevent the local system from continuing to communicate with a hostile system that knows the old key.
Chapter 8 Configuring IP Routing and DHCP Services Configuring OSPF SPF algorithm executed 2 times Area ranges are Number of LSA 5. Checksum Sum 0x 209a3 Number of opaque link LSA 0. Checksum Sum 0x Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0 0 Configuring OSPF Area Parameters You can configure several area parameters.
Chapter 8 Configuring IP Routing and DHCP Services Configuring OSPF Configuring OSPF NSSA The OSPF implementation of an NSSA is similar to an OSPF stub area. NSSA does not flood type 5 external LSAs from the core into the area, but it can import autonomous system external routes in a limited way within the area. NSSA imports type 7 autonomous system external routes within an NSSA area by redistribution.
Chapter 8 Configuring IP Routing and DHCP Services Configuring OSPF Configuring Route Summarization Between OSPF Areas Route summarization is the consolidation of advertised addresses. This feature causes a single summary route to be advertised to other areas by an area boundary router. In OSPF, an area boundary router advertises networks in one area into another area.
Chapter 8 Configuring IP Routing and DHCP Services Configuring OSPF Generating a Default Route You can force an autonomous system boundary router to generate a default route into an OSPF routing domain. Whenever you specifically configure redistribution of routes into an OSPF routing domain, the router automatically becomes an autonomous system boundary router. However, an autonomous system boundary router does not by default generate a default route into the OSPF routing domain.
Chapter 8 Configuring IP Routing and DHCP Services Configuring OSPF Logging Neighbors Going Up or Down By default, the system sends a system message when an OSPF neighbor goes up or down. Configure this command if you want to know about OSPF neighbors going up or down without turning on the debug ospf adjacency command. The log-adj-changes router configuration command provides a higher level view of the peer relationship with less output.
Chapter 8 Configuring IP Routing and DHCP Services Configuring OSPF Monitoring OSPF You can display specific statistics such as the contents of IP routing tables, caches, and databases. You can use the information provided to determine resource utilization and solve network problems. You can also display information about node reachability and discover the routing path that your device packets are taking through the network.
Chapter 8 Configuring IP Routing and DHCP Services Configuring RIP Configuring RIP This section describes how to configure RIP. This section includes the following topics: • RIP Overview, page 8-16 • Enabling RIP, page 8-16 RIP Overview Devices that support RIP send routing-update messages at regular intervals and when the network topology changes.
Chapter 8 Configuring IP Routing and DHCP Services Configuring Multicast Routing Note Before testing your configuration, flush the ARP caches on any routers connected to the security appliance. For Cisco routers, use the clear arp command to flush the ARP cache. You cannot enable RIP if OSPF is enabled. Configuring Multicast Routing This section describes how to configure multicast routing.
Chapter 8 Configuring IP Routing and DHCP Services Configuring Multicast Routing Enabling Multicast Routing Enabling multicast routing lets the security appliance forward multicast packets. Enabling multicast routing automatically enables PIM and IGMP on all interfaces. To enable multicast routing, enter the following command: hostname(config)# multicast-routing The number of entries in the multicast routing tables are limited by the amount of RAM on the system.
Chapter 8 Configuring IP Routing and DHCP Services Configuring Multicast Routing Disabling IGMP on an Interface You can disable IGMP on specific interfaces. This is useful if you know that you do not have any multicast hosts on a specific interface and you want to prevent the security appliance from sending host query messages on that interface.
Chapter 8 Configuring IP Routing and DHCP Services Configuring Multicast Routing • To create an extended access list, enter the following command: hostname(config)# access-list name extended [permit | deny] protocol src_ip_addr src_mask dst_ip_addr dst_mask The dst_ip_addr argument is the IP address of the multicast group being permitted or denied.
Chapter 8 Configuring IP Routing and DHCP Services Configuring Multicast Routing Changing the Query Response Time By default, the maximum query response time advertised in IGMP queries is 10 seconds. If the security appliance does not receive a response to a host query within this amount of time, it deletes the group.
Chapter 8 Configuring IP Routing and DHCP Services Configuring Multicast Routing Note The dense output_if_name keyword and argument pair is only supported for stub multicast routing. Configuring PIM Features Routers use PIM to maintain forwarding tables for forwarding multicast diagrams. When you enable multicast routing on the security appliance, PIM and IGMP are automatically enabled on all interfaces. Note PIM is not supported with PAT.
Chapter 8 Configuring IP Routing and DHCP Services Configuring Multicast Routing To configure the address of the PIM PR, enter the following command: hostname(config)# pim rp-address ip_address [acl] [bidir] The ip_address argument is the unicast IP address of the router to be a PIM RP. The acl argument is the name or number of an access list that defines which multicast groups the RP should be used with. Excluding the bidir keyword causes the groups to operate in PIM sparse mode.
Chapter 8 Configuring IP Routing and DHCP Services Configuring DHCP For More Information about Multicast Routing The following RFCs from the IETF provide technical details about the IGMP and multicast routing standards used for implementing the SMR feature: • RFC 2236 IGMPv2 • RFC 2362 PIM-SM • RFC 2588 IP Multicast and Firewalls • RFC 2113 IP Router Alert Option • IETF draft-ietf-idmr-igmp-proxy-01.
Chapter 8 Configuring IP Routing and DHCP Services Configuring DHCP You cannot configure a DHCP client or DHCP Relay services on an interface on which the server is enabled. Additionally, DHCP clients must be directly connected to the interface on which the server is enabled. To enable the DHCP server on a given security appliance interface, perform the following steps: Step 1 Create a DHCP address pool.
Chapter 8 Configuring IP Routing and DHCP Services Configuring DHCP For example, to assign the range 10.0.1.101 to 10.0.1.110 to hosts connected to the inside interface, enter the following commands: hostname(config)# hostname(config)# hostname(config)# hostname(config)# hostname(config)# hostname(config)# dhcpd dhcpd dhcpd dhcpd dhcpd dhcpd address 10.0.1.101-10.0.1.110 inside dns 209.165.201.2 209.165.202.129 wins 209.165.201.5 lease 3000 domain example.
Chapter 8 Configuring IP Routing and DHCP Services Configuring DHCP Cisco IP Phones download their configuration from a TFTP server. When a Cisco IP Phone starts, if it does not have both the IP address and TFTP server IP address preconfigured, it sends a request with option 150 or 66 to the DHCP server to obtain this information. • DHCP option 150 provides the IP addresses of a list of TFTP servers. • DHCP option 66 gives the IP address or the hostname of a single TFTP server.
Chapter 8 Configuring IP Routing and DHCP Services Configuring DHCP To enable DHCP relay, perform the following steps: Step 1 To set the IP address of a DHCP server on a different interface from the DHCP client, enter the following command: hostname(config)# dhcprelay server ip_address if_name You can use this command up to 4 times to identify up to 4 servers.
C H A P T E R 9 Configuring IPv6 This chapter describes how to enable and configure IPv6 on the security appliance. IPv6 is available in Routed firewall mode only.
Chapter 9 Configuring IPv6 Configuring IPv6 on an Interface • telnet • tftp-server • who • write When entering IPv6 addresses in commands that support them, simply enter the IPv6 address using standard IPv6 notation, for example ping fe80::2e0:b6ff:fe01:3b7a. The security appliance correctly recognizes and processes the IPv6 address.
Chapter 9 Configuring IPv6 Configuring IPv6 Default and Static Routes There are several methods for configuring IPv6 addresses for an interface. Pick the method that suits your needs from the following: • The simplest method is to enable stateless autoconfiguration on the interface. Enabling stateless autoconfiguration on the interface configures IPv6 addresses based on prefixes received in Router Advertisement messages.
Chapter 9 Configuring IPv6 Configuring IPv6 Access Lists Step 1 To add the default route, use the following command: hostname(config)# ipv6 route interface_name ::/0 next_hop_ipv6_addr The address ::/0 is the IPv6 equivalent of “any.” Step 2 (Optional) Define IPv6 static routes.
Chapter 9 Configuring IPv6 Verifying the IPv6 Configuration Step 2 • src_port and dst_port—The source and destination port (or service) argument. Enter an operator (lt for less than, gt for greater than, eq for equal to, neq for not equal to, or range for an inclusive range) followed by a space and a port number (or two port numbers separated by a space for the range keyword). • icmp_type—Specifies the ICMP message type being filtered by the access rule.
Chapter 9 Configuring IPv6 Configuring a Dual IP Stack on an Interface ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds Note The show interface command only displays the IPv4 settings for an interface. To see the IPv6 configuration on an interface, you need to use the show ipv6 interface command. The show ipv6 interface command does not display any IPv4 settings for the interface (if both are configured on the interface).
Chapter 9 Configuring IPv6 IPv6 Configuration Example IPv6 Configuration Example Example 9-1 shows several features of IPv6 configuration: • Each interface is configured with both IPv6 and IPv4 addresses. • The IPv6 default route is set with the ipv6 route command. • An IPv6 access list is applied to the outside interface. Example 9-1 IPv6 Configuration Example interface Ethernet0 speed auto duplex auto nameif outside security-level 0 ip address 16.142.10.100 255.255.255.
Chapter 9 Configuring IPv6 IPv6 Configuration Example snmp-server enable traps snmp fragment size 200 outside fragment chain 24 outside fragment size 200 inside fragment chain 24 inside sysopt nodnsalias inbound sysopt nodnsalias outbound telnet timeout 5 ssh timeout 5 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect smtp inspect sqlnet insp
C H A P T E R 10 Configuring AAA Servers and the Local Database This chapter describes support for AAA (pronounced “triple A”) and how to configure AAA servers and the local database.
Chapter 10 Configuring AAA Servers and the Local Database AAA Overview About Authentication Authentication controls access by requiring valid user credentials, which are typically a username and password.
Chapter 10 Configuring AAA Servers and the Local Database AAA Server and Local Database Support AAA Server and Local Database Support The security appliance supports a variety of AAA server types and a local database that is stored on the security appliance. This section describes support for each AAA server type and the local database.
Chapter 10 Configuring AAA Servers and the Local Database AAA Server and Local Database Support RADIUS Server Support The security appliance supports RADIUS servers.
Chapter 10 Configuring AAA Servers and the Local Database AAA Server and Local Database Support Table 10-2 RADIUS Functions (continued) Functions Description User authentication for network access When a user attempts to access networks through the security appliance and the traffic matches an authentication statement, the security appliance sends to the RADIUS server the user credentials (typically a username and password) and grants or denies user network access based on the response from the serve
Chapter 10 Configuring AAA Servers and the Local Database AAA Server and Local Database Support Table 10-3 TACACS+ Functions (continued) Functions Description Accounting for CLI access You can configure the security appliance to send accounting information to a TACACS+ server about administrative sessions.
Chapter 10 Configuring AAA Servers and the Local Database AAA Server and Local Database Support A version 5.0 SDI server that you configure on the security appliance can be either the primary or any one of the replicas. See the “SDI Primary and Replica Servers” section on page 10-7 for information about how the SDI agent selects servers to authenticate users. Two-step Authentication Process SDI version 5.
Chapter 10 Configuring AAA Servers and the Local Database AAA Server and Local Database Support LDAP Server Support The security appliance can use LDAP servers for VPN authorization. When user authentication for VPN access has succeeded and the applicable tunnel-group record specifies an LDAP authorization server group, the security appliance queries the LDAP server and applies to the VPN session the authorizations it receives.
Chapter 10 Configuring AAA Servers and the Local Database Configuring the Local Database Table 10-4 Local Database Functions (continued) Functions Description VPN authentication When a user attempts to establish VPN access and the traffic matches an authentication statement, the security appliance checks the username and password received against the local user database, and grants or denies VPN access based on the result.
Chapter 10 Configuring AAA Servers and the Local Database Configuring the Local Database Caution If you add to the local database users who can gain access to the CLI but who should not be allowed to enter privileged mode, enable command authorization. (See the “Configuring Local Command Authorization” section on page 30-7.) Without command authorization, users can access privileged mode (and all commands) at the CLI using their own password if their privilege level is 2 or greater (2 is the default).
Chapter 10 Configuring AAA Servers and the Local Database Identifying AAA Server Groups and Servers For example, the following command assigns a privilege level of 15 to the admin user account: hostname/contexta(config)# username admin password passw0rd privilege 15 The following command creates a user account with no password: hostname/contexta(config)# username bcham34 nopassword The following commands creates a user account with a password, enters username mode, and specifies a few VPN attributes: ho
Chapter 10 Configuring AAA Servers and the Local Database Identifying AAA Server Groups and Servers unresponsive, and the fallback method is tried. The server group remains marked as unresponsive for a period of 10 minutes (by default) so that additional AAA requests within that period do not attempt to contact the server group, and the fallback method is used immediately. To change the unresponsive period from the default, see the reactivation-mode command in the following step.
Chapter 10 Configuring AAA Servers and the Local Database Identifying AAA Server Groups and Servers Table 10-5 Host Mode Commands, Server Types, and Defaults (continued) Command Applicable AAA Server Types Default Value sdi-version SDI sdi-5 server-port Kerberos 88 LDAP 389 NT 139 SDI 5500 TACACS+ 49 All 10 seconds timeout c. When you have finished configuring the AAA server host, enter exit.
Chapter 10 Configuring AAA Servers and the Local Database Identifying AAA Server Groups and Servers Cisco Security Appliance Command Line Configuration Guide 10-14 OL-6721-01
C H A P T E R 11 Configuring Failover This chapter describes the security appliance failover feature, which lets you configure two security appliances so that one will take over operation if the other one fails.
Chapter 11 Configuring Failover Understanding Failover Failover System Requirements This section describes the hardware, software, and license requirements for security appliances in a failover configuration. This section contains the following topics: • Hardware Requirements, page 11-2 • Software Requirements, page 11-2 • License Requirements, page 11-2 Hardware Requirements The two units in a failover configuration must have the same hardware configuration.
Chapter 11 Configuring Failover Understanding Failover The Failover and State Links This section describes the failover and the state links, which are dedicated connections between the two units in a failover configuration. This section includes the following topics: • Failover Link, page 11-3 • State Link, page 11-4 Failover Link The two units in a failover pair constantly communicate over a failover link to determine the operating status of each unit.
Chapter 11 Configuring Failover Understanding Failover On systems running in multiple context mode, the failover link resides in the system context. This interface and the state link, if used, are the only interfaces that you can configure in the system context. All other interfaces are allocated to and configured from within security contexts. Note The IP address and MAC address for the failover link do not change at failover.
Chapter 11 Configuring Failover Understanding Failover Caution Note Sharing the Stateful Failover link with a regular firewall interface is not supported. This restriction was not enforced in previous versions of the software. If you are upgrading from a previous version of the security appliance software, and have a configuration that shares the state link with a regular firewall interface, then the configuration related to the firewall interface will be lost when you upgrade.
Chapter 11 Configuring Failover Understanding Failover Active/Standby Failover Overview Active/Standby failover lets you use a standby security appliance to take over the functionality of a failed unit. When the active unit fails, it changes to the standby state while the standby unit changes to the active state. The unit that becomes active assumes the IP addresses (or, for transparent firewall, the management IP address) and MAC addresses of the failed unit and begins passing traffic.
Chapter 11 Configuring Failover Understanding Failover unit may be overwritten by the configuration being replicated from the active unit. Avoid entering commands on either unit in the failover pair during the configuration replication process. Depending upon the size of the configuration, replication can take from a few seconds to several minutes. On the standby unit, the configuration exists only in running memory.
Chapter 11 Configuring Failover Understanding Failover Failover Triggers The unit can fail if one of the following events occurs: • The unit has a hardware failure or a power failure. • The unit has a software failure. • Too many monitored interfaces fail. • The no failover active command is entered on the active unit or the failover active command is entered on the standby unit. Failover Actions In Active/Standby failover, failover occurs on a unit basis.
Chapter 11 Configuring Failover Understanding Failover Active/Active Failover This section describes Active/Active failover.
Chapter 11 Configuring Failover Understanding Failover Each failover group in the configuration is given a primary or secondary unit preference. This preference determines on which unit in the failover pair the contexts in the failover group appear in the active state when both units start simultaneously. You can have both failover groups be in the active state on a single unit in the pair, with the other unit containing the failover groups in the standby state.
Chapter 11 Configuring Failover Understanding Failover You can use the write standby command to resynchronize configurations that have become out of sync. For Active/Active failover, the write standby command behaves as follows: • If you enter the write standby command in the system execution space, the system configuration and the configurations for all of the security contexts on the security appliance is written to the peer unit.
Chapter 11 Configuring Failover Understanding Failover Table 11-2 shows the failover action for each failure event. For each failure event, the policy (whether or not failover occurs), actions for the active failover group, and actions for the standby failover group are given.
Chapter 11 Configuring Failover Understanding Failover Table 11-3 provides a comparison of some of the features supported by each type of failover configuration: Table 11-3 Failover Configuration Feature Support Feature Active/Active Active/Standby Single Context Mode No Yes Multiple Context Mode Yes Yes Load Balancing Network Configurations Yes No Unit Failover Yes Yes Failover of Groups of Contexts Yes No Failover of Individual Contexts No No Regular and Stateful Failover The secu
Chapter 11 Configuring Failover Understanding Failover Note • The user authentication (uauth) table. • The routing tables. • State information for Security Service Cards. If failover occurs during an active Cisco IP SoftPhone session, the call will remain active because the call session state information is replicated to the standby unit. When the call is terminated, the IP SoftPhone client will lose connection with the Call Manager.
Chapter 11 Configuring Failover Configuring Failover When a unit does not receive hello messages on a monitored interface, it runs the following tests: 1. Link Up/Down test—A test of the interface status. If the Link Up/Down test indicates that the interface is operational, then the security appliance performs network tests. The purpose of these tests is to generate network traffic to determine which (if either) unit has failed.
Chapter 11 Configuring Failover Configuring Failover • Configuring LAN-Based Active/Standby Failover, page 11-17 • Configuring Optional Active/Standby Failover Settings, page 11-20 See the “Failover Configuration Examples” section on page 11-44 for examples of typical failover configurations. Prerequisites Before you begin, verify the following: • Both units have the same hardware, software configuration, and proper license.
Chapter 11 Configuring Failover Configuring Failover The if_name argument assigns a logical name to the interface specified by the phy_if argument. The phy_if argument can be the physical port name, such as Ethernet1, or a previously created subinterface, such as Ethernet0/2.3. This interface should not be used for any other purpose. b.
Chapter 11 Configuring Failover Configuring Failover Configuring the Primary Unit Follow these steps to configure the primary unit in a LAN-based, Active/Standby failover configuration. These steps provide the minimum configuration needed to enable failover on the primary unit. For multiple context mode, all steps are performed in the system execution space unless otherwise noted.
Chapter 11 Configuring Failover Configuring Failover Step 5 (Optional) To enable Stateful Failover, configure the state link. The state link must be configured on an unused interface. a. Specify the interface to be used as state link. hostname(config)# failover link if_name phy_if Note If the state link uses the failover link, then you only need to supply the if_name argument. The if_name argument assigns a logical name to the interface specified by the phy_if argument.
Chapter 11 Configuring Failover Configuring Failover To configure the secondary unit, perform the following steps: Step 1 (PIX security appliance platform only) Enable LAN-based failover. hostname(config)# failover lan enable Step 2 Define the failover interface. Use the same settings as you used for the primary unit. a. Specify the interface to be used as the failover interface.
Chapter 11 Configuring Failover Configuring Failover This section includes the following topics: • Enabling HTTP Replication with Stateful Failover, page 11-21 • Disabling and Enabling Interface Monitoring, page 11-21 • Configuring Interface and Unit Poll Times, page 11-22 • Configuring Failover Criteria, page 11-22 • Configuring Virtual MAC Addresses, page 11-22 Enabling HTTP Replication with Stateful Failover To allow HTTP connections to be included in the state information replication, you ne
Chapter 11 Configuring Failover Configuring Failover Configuring Interface and Unit Poll Times The security appliance monitors both unit and interface health for failover. You can configure the amount of time between hello messages when monitoring interface and unit health. Decreasing the poll time allows an interface or unit failure to be detected more quickly, but consumes more system resources.
Chapter 11 Configuring Failover Configuring Failover Configuring Active/Active Failover This section describes how to configure Active/Active failover.
Chapter 11 Configuring Failover Configuring Failover Note Step 4 In multiple context mode, you must configure the interface addresses from within each context. Use the changeto context command to switch between contexts. The command prompt changes to hostname/context(config-if)#, where context is the name of the current context. (Optional) To enable Stateful Failover, configure the state link. The state link must be configured on an unused interface. a. Specify the interface to be used as state link.
Chapter 11 Configuring Failover Configuring Failover Step 7 Enable failover. hostname(config)# failover Step 8 Power on the secondary unit and enable failover on the unit if it is not already enabled: hostname(config)# failover The active unit sends the configuration in running memory to the standby unit. As the configuration synchronizes, the messages “Beginning configuration replication: Sending to mate” and “End Configuration Replication to mate” appear on the primary console.
Chapter 11 Configuring Failover Configuring Failover d. Specify the failover link active and standby IP addresses. hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr The standby IP address must be in the same subnet as the active IP address. You do not need to identify the standby IP address subnet mask. The failover link IP address and MAC address do not change at failover.
Chapter 11 Configuring Failover Configuring Failover The following example assigns failover group 1 a primary preference and failover group 2 a secondary preference: hostname(config)# failover group 1 hostname(config-fover-group)# primary hostname(config-fover-group)# exit hostname(config)# failover group 2 hostname(config-fover-group)# secondary hostname(config-fover-group)# exit Step 4 Assign each user context to a failover group using the join-failover-group command in context configuration mode.
Chapter 11 Configuring Failover Configuring Failover c. Enable the interface. hostname(config)# interface phy_if hostname(config-if)# no shutdown Step 3 (Optional) Designate this unit as the secondary unit. hostname(config)# failover lan unit secondary Note Step 4 This step is optional because by default units are designated as secondary unless previously configured otherwise. Enable failover.
Chapter 11 Configuring Failover Configuring Failover Configuring Failover Group Preemption Assigning a primary or secondary priority to a failover group specifies which unit the failover group becomes active on when both units boot simultaneously. However, if one unit boots before the other, then both failover groups become active on that unit.
Chapter 11 Configuring Failover Configuring Failover The unit poll time specifies the amount of time between hello messages sent across the failover link to determine the health of the peer unit. Decreasing the unit poll time allows a failed unit to be detected faster, but consumes more system resources.
Chapter 11 Configuring Failover Configuring Failover You can prevent the return packets from being dropped using the asr-group command on interfaces where this is likely to occur. With the asr-group command configured on an interface, the interface connection information is sent to the failover peer. If the peer receives a packet for which it does not have an active connection, it looks for a corresponding connection on the other interfaces in the asynchronous routing group.
Chapter 11 Configuring Failover Configuring Failover unit looks at the session information for any other interfaces with the same asr-group assigned to it. It finds the session information in the outside interface for context A, which is in the standby state on the unit, and forwards the return traffic to the unit where context A is active.
Chapter 11 Configuring Failover Configuring Failover Using the show failover Command This section describes the show failover command output. On each unit you can verify the failover status by entering the show failover command. The information displayed depends upon whether you are using Active/Standby or Active/Active failover.
Chapter 11 Configuring Failover Configuring Failover In multiple context mode, using the show failover command in a security context displays the failover information for that context. The information is similar to the information shown when using the command in single context mode. Instead of showing the active/standby status of the unit, it displays the active/standby status of the context. Table 11-4 provides descriptions for the information shown.
Chapter 11 Configuring Failover Configuring Failover Table 11-4 Show Failover Display Description (continued) Field Options Monitored Interfaces Displays the number of interfaces monitored out of the maximum possible. failover replication http Displays if HTTP state replication is enabled for Stateful Failover.
Chapter 11 Configuring Failover Configuring Failover Table 11-4 Show Failover Display Description (continued) Field Options Stateful Obj For each field type, the following statistics are shown. They are counters for the number of state information packets sent between the two units; the fields do not necessarily show active connections through the unit. • xmit—Number of transmitted packets to the other unit. • xerr—Number of errors that occurred while transmitting packets to the other unit.
Chapter 11 Configuring Failover Configuring Failover Show Failover—Active/Active The following is sample output from the show failover command for Active/Active Failover. Table 11-5 provides descriptions for the information shown.
Chapter 11 Configuring Failover Configuring Failover Logical Update Queue Information Cur Max Total Recv Q: 0 1 1895 Xmit Q: 0 0 1940 The following is sample output from the show failover group command for Active/Active Failover. The information displayed is similar to that of the show failover command, but limited to the specified group. Table 11-5 provides descriptions for the information shown.
Chapter 11 Configuring Failover Configuring Failover Table 11-5 Show Failover Display Description (continued) Field Options Monitored Interfaces Displays the number of interfaces monitored out of the maximum possible. Group 1 Last Failover at: The date and time of the last failover for each group in the following form: Group 2 Last Failover at: hh:mm:ss UTC DayName Month Day yyyy UTC (Coordinated Universal Time) is equivalent to GMT (Greenwich Mean Time).
Chapter 11 Configuring Failover Configuring Failover Table 11-5 Show Failover Display Description (continued) Field Options Stateful Obj For each field type, the following statistics are used. They are counters for the number of state information packets sent between the two units; the fields do not necessarily show active connections through the unit.
Chapter 11 Configuring Failover Configuring Failover Viewing Monitored Interfaces To view the status of monitored interfaces, enter the following command. In single context mode, enter this command in global configuration mode. In multiple context mode, enter this command within a context. primary/context(config)# show monitor-interface For example: hostname/context(config)# show monitor-interface This host: Primary - Active Interface outside (192.168.1.2): Normal Interface inside (10.1.1.
Chapter 11 Configuring Failover Controlling and Monitoring Failover Step 4 If the test was not successful, enter the show failover command to check the failover status.
Chapter 11 Configuring Failover Controlling and Monitoring Failover Disabling Failover To disable failover, enter the following command: hostname(config)# no failover Disabling failover on an Active/Standby pair causes the active and standby state of each unit to be maintained until you restart. For example, the standby unit remains in standby mode so that both units do not start passing traffic.
Chapter 11 Configuring Failover Failover Configuration Examples Debug Messages To see debug messages, enter the debug fover command. See the Cisco Security Appliance Command Reference for more information. Note Because debugging output is assigned high priority in the CPU process, it can drastically affect system performance. For this reason, use the debug fover commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff.
Chapter 11 Configuring Failover Failover Configuration Examples Cable-Based Active/Standby Failover Example Figure 11-2 shows the network diagram for a failover configuration using a serial Failover cable. Figure 11-2 Cable-Based Failover Configuration Internet 209.165.201.4 Switch Primary Unit 209.165.201.1 PAT: 209.165.201.3 outside Serial Failover Cable 192.168.253.1 Secondary Unit 209.165.201.2 192.168.253.2 state 192.168.2.1 192.168.2.2 inside Web Server 192.168.2.5 Static: 209.165.201.
Chapter 11 Configuring Failover Failover Configuration Examples passwd iyymOglaKJgF2fx6 encrypted telnet 192.168.2.45 255.255.255.255 hostname pixfirewall access-list acl_out permit tcp any host 209.165.201.5 eq 80 failover failover link state Ethernet3 failover ip address state 192.168.253.1 255.255.255.252 standby 192.168.253.2 global (outside) 1 209.165.201.3 netmask 255.255.255.224 nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) 209.165.201.5 192.168.2.5 netmask 255.255.255.
Chapter 11 Configuring Failover Failover Configuration Examples Example 11-2 (primary unit) and Example 11-3 (secondary unit) list the typical commands in a LAN-based failover configuration. Example 11-2 LAN-Based Failover Configuration: Primary Unit interface Ethernet0 nameif outside ip address 209.165.201.1 255.255.255.224 standby 209.165.201.2 interface Ethernet1 nameif inside ip address 192.168.2.1 255.255.255.0 standby 192.168.2.
Chapter 11 Configuring Failover Failover Configuration Examples LAN-Based Active/Active Failover Example The following example shows how to configure Active/Active failover. In this example there are 2 user contexts, named admin and ctx1. Figure 11-4 shows the network diagram for the example. Figure 11-4 Active/Active Failover Configuration Internet 192.168.5.1 192.168.10.71 Switch Switch 192.168.5.101 Outside (admin) Primary 192.168.10.41 (ctx1) Failover Group 1 Switch Active Failover Link 10.0.4.
Chapter 11 Configuring Failover Failover Configuration Examples enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname ciscopix boot system flash:/cdisk.bin ftp mode passive no pager failover failover lan unit primary failover lan interface folink Ethernet0 failover link folink Ethernet0 failover interface ip folink 10.0.4.1 255.255.255.0 standby 10.0.4.
Chapter 11 Configuring Failover Failover Configuration Examples security-level 100 ip address 192.168.0.1 255.255.255.0 standby 192.168.0.11 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname admin pager lines 24 mtu outside 1500 mtu inside 1500 no vpn-addr-assign aaa no vpn-addr-assign dhcp no vpn-addr-assign local monitor-interface outside monitor-interface inside no asdm history enable arp timeout 14400 route outside 0.0.0.0 0.0.0.0 192.168.5.
Chapter 11 Configuring Failover Failover Configuration Examples monitor-interface inside monitor-interface outside no asdm history enable arp timeout 14400 access-group 201 in interface outside route outside 0.0.0.0 0.0.0.0 192.168.10.
Chapter 11 Configuring Failover Failover Configuration Examples Cisco Security Appliance Command Line Configuration Guide 11-52 OL-6721-01
P A R T 2 Configuring the Firewall
C H A P T E R 12 Firewall Mode Overview This chapter describes how the firewall works in each firewall mode. The security appliance can run in two firewall modes: • Routed mode • Transparent mode In routed mode, the security appliance is considered to be a router hop in the network. It can perform NAT between connected networks, and can use OSPF or passive RIP (in single context mode). Routed mode supports many interfaces. Each interface is on a different subnet.
Chapter 12 Firewall Mode Overview Routed Mode Overview IP Routing Support The security appliance acts as a router between connected networks, and each interface requires an IP address on a different subnet. In single context mode, the routed firewall supports OSPF and RIP (in passive mode). Multiple context mode supports static routes only. We recommend using the advanced routing capabilities of the upstream and downstream routers instead of relying on the security appliance for extensive routing needs.
Chapter 12 Firewall Mode Overview Routed Mode Overview Figure 12-1 NAT Example Web Server www.example.com Outside 209.165.201.2 Originating Packet Responding Packet Source Addr Translation 10.1.2.27 209.165.201.10 Dest Addr Translation 209.165.201.10 10.1.2.27 10.1.2.1 10.1.2.
Chapter 12 Firewall Mode Overview Routed Mode Overview An Inside User Visits a Web Server Figure 12-2 shows an inside user accessing an outside web server. Figure 12-2 Inside to Outside www.example.com Outside 209.165.201.2 Source Addr Translation 10.1.2.27 209.165.201.10 10.1.2.1 10.1.1.1 DMZ User 10.1.2.27 Web Server 10.1.1.3 92404 Inside The following steps describe how data moves through the security appliance (see Figure 12-2): 1.
Chapter 12 Firewall Mode Overview Routed Mode Overview 5. When www.example.com responds to the request, the packet goes through the security appliance, and because the session is already established, the packet bypasses the many lookups associated with a new connection. The security appliance performs NAT by translating the global destination address to the local user address, 10.1.2.27. 6. The security appliance forwards the packet to the inside user.
Chapter 12 Firewall Mode Overview Routed Mode Overview 4. The security appliance then adds a session entry to the fast path and forwards the packet from the DMZ interface. 5. When the DMZ web server responds to the request, the packet goes through the security appliance and because the session is already established, the packet bypasses the many lookups associated with a new connection. The security appliance performs NAT by translating the local source address to 209.165.201.3. 6.
Chapter 12 Firewall Mode Overview Routed Mode Overview 3. The security appliance then records that a session is established and forwards the packet out of the DMZ interface. 4. When the DMZ web server responds to the request, the packet goes through the fast path, which lets the packet bypass the many lookups associated with a new connection. 5. The security appliance forwards the packet to the inside user.
Chapter 12 Firewall Mode Overview Transparent Mode Overview A DMZ User Attempts to Access an Inside Host Figure 12-6 shows a user in the DMZ attempting to access the inside network. Figure 12-6 DMZ to Inside Outside 209.165.201.2 10.1.2.1 10.1.1.1 DMZ User 10.1.2.27 Web Server 10.1.1.3 92402 Inside The following steps describe how data moves through the security appliance (see Figure 12-6): 1. A user on the DMZ network attempts to reach an inside host.
Chapter 12 Firewall Mode Overview Transparent Mode Overview Transparent Firewall Features Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its screened subnets. A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a “bump in the wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices. The security appliance connects the same network on its inside and outside ports.
Chapter 12 Firewall Mode Overview Transparent Mode Overview Using the Transparent Firewall in Your Network Figure 12-7 shows a typical transparent firewall network where the outside devices are on the same subnet as the inside devices. The inside router and hosts appear to be directly connected to the outside router. Figure 12-7 Transparent Firewall Network Internet 10.1.1.1 Network A Management IP 10.1.1.2 10.1.1.3 Network B 92411 192.168.1.
Chapter 12 Firewall Mode Overview Transparent Mode Overview • Each directly connected network must be on the same subnet. • Do not specify the security appliance management IP address as the default gateway for connected devices; devices need to specify the router on the other side of the security appliance as the default gateway. • For multiple context mode, each context must use different interfaces; you cannot share an interface across contexts.
Chapter 12 Firewall Mode Overview Transparent Mode Overview How Data Moves Through the Transparent Firewall Figure 12-8 shows a typical transparent firewall implementation with an inside network that contains a public web server. The security appliance has an access list so that the inside users can access Internet resources. Another access list lets the outside users access only the web server on the inside network. Figure 12-8 Typical Transparent Firewall Data Path www.example.com Internet 209.165.
Chapter 12 Firewall Mode Overview Transparent Mode Overview An Inside User Visits a Web Server Figure 12-9 shows an inside user accessing an outside web server. Figure 12-9 Inside to Outside www.example.com Internet 209.165.201.2 Host 209.165.201.3 92408 Management IP 209.165.201.6 The following steps describe how data moves through the security appliance (see Figure 12-9): 1. The user on the inside network requests a web page from www.example.com. 2.
Chapter 12 Firewall Mode Overview Transparent Mode Overview An Outside User Visits a Web Server on the Inside Network Figure 12-10 shows an outside user accessing the inside web server. Figure 12-10 Outside to Inside Host Internet 209.165.201.2 Management IP 209.165.201.6 209.165.201.1 Web Server 209.165.200.225 92409 209.165.200.230 The following steps describe how data moves through the security appliance (see Figure 12-10): 1.
Chapter 12 Firewall Mode Overview Transparent Mode Overview An Outside User Attempts to Access an Inside Host Figure 12-11 shows an outside user attempting to access a host on the inside network. Figure 12-11 Outside to Inside Host Internet 209.165.201.2 92410 Management IP 209.165.201.6 Host 209.165.201.3 The following steps describe how data moves through the security appliance (see Figure 12-11): 1. A user on the outside network attempts to reach an inside host. 2.
Chapter 12 Firewall Mode Overview Transparent Mode Overview Cisco Security Appliance Command Line Configuration Guide 12-16 OL-6721-01
C H A P T E R 13 Identifying Traffic with Access Lists This chapter describes how to identify traffic with access lists.
Chapter 13 Identifying Traffic with Access Lists Access List Overview Access List Types and Uses This section includes the following topics: • Access List Type Overview, page 13-2 • Controlling Network Access for IP Traffic (Extended), page 13-2 • Identifying Traffic for AAA Rules (Extended), page 13-3 • Controlling Network Access for IP Traffic for a Given User (Extended), page 13-4 • Identifying Addresses for Policy NAT and NAT Exemption (Extended), page 13-4 • VPN Access (Extended), page 13
Chapter 13 Identifying Traffic with Access Lists Access List Overview For TCP and UDP connections, you do not need an access list to allow returning traffic, because the security appliance allows all returning traffic for established connections.
Chapter 13 Identifying Traffic with Access Lists Access List Overview b. Apply the access list using the aaa authorization match command. • To identify traffic for network access authentication using a TACACS+ or RADIUS server, perform the following tasks: a. Add the access list using the “Adding an Extended Access List” section on page 13-9. Permit entries in the access list mark matching traffic for authentication, while deny entries exclude matching traffic from authentication. b.
Chapter 13 Identifying Traffic with Access Lists Access List Overview To use access lists with NAT, perform the following tasks: 1. Add the access list using the “Adding an Extended Access List” section on page 13-9. This access list can contain only permit elements. Specify ports using the eq operator. 2.
Chapter 13 Identifying Traffic with Access Lists Access List Overview Controlling Network Access for Non-IP Traffic (EtherType) Transparent firewall mode only You can configure an access list that controls traffic based on its EtherType. The security appliance can control any EtherType identified by a 16-bit hexadecimal number. EtherType access lists support Ethernet V2 frames. 802.3-formatted frames are not handled by the access list because they use a length field as opposed to a type field.
Chapter 13 Identifying Traffic with Access Lists Access List Overview Access Control Implicit Deny Access lists have an implicit deny at the end of the list, so unless you explicitly permit it, traffic cannot pass. For example, if you want to allow all users to access a network through the security appliance except for particular addresses, then you need to deny the particular addresses and then permit all others.
Chapter 13 Identifying Traffic with Access Lists Access List Overview Figure 13-2 IP Addresses in Access Lists: NAT used for Destination Addresses 209.165.200.225 ACL Permit from 209.165.200.225 to 209.165.201.5 Outside 10.1.1.34 209.165.201.5 Static NAT 104636 Inside See the following commands for this example: hostname(config)# access-list OUTSIDE extended permit ip host 209.165.200.225 host 209.165.201.
Chapter 13 Identifying Traffic with Access Lists Adding an Extended Access List See the following commands for this example: hostname(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host 10.1.1.
Chapter 13 Identifying Traffic with Access Lists Adding an Extended Access List • Add an ACE for a specific protocol by entering the following command: hostname(config)# access-list access_list_name [line line_number][extended] {deny | permit} protocol source_address mask dest_address mask This type of ACE lets you specify any protocol for the source and destination addresses, but not ports. Typically, you identify ip keyword for the protocol, but other protocols are accepted.
Chapter 13 Identifying Traffic with Access Lists Adding an EtherType Access List For information about logging options that you can add to the end of the ACE, see the “Logging Access List Activity” section on page 13-20. See the following example: The following access list restricts all hosts (on the interface to which you apply the access list) from accessing a website at address 209.165.201.29. All other traffic is allowed. hostname(config)# access-list ACL_IN extended deny tcp any host 209.165.201.
Chapter 13 Identifying Traffic with Access Lists Adding an EtherType Access List On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is the interface connected to the security appliance. hostname(config)# mpls ldp router-id interface force Or hostname(config)# tag-switching tdp router-id interface force You can apply only one access list of each type (extended and EtherType) to each direction of an interface.
Chapter 13 Identifying Traffic with Access Lists Adding a Standard Access List Adding a Standard Access List Single context mode only Standard access lists identify the destination IP addresses of OSPF routes, and can be used in a route map for OSPF redistribution. Standard access lists cannot be applied to interfaces to control traffic. The following command adds a standard ACE. To add another ACE at the end of the access list, enter another access-list command specifying the same access list name.
Chapter 13 Identifying Traffic with Access Lists Simplifying Access Lists with Object Grouping You can also nest object groups in other object groups. Note The ACE system limit applies to expanded access lists. If you use object groups in ACEs, the number of actual ACEs that you enter is fewer, but the number of expanded ACEs is the same as without object groups.
Chapter 13 Identifying Traffic with Access Lists Simplifying Access Lists with Object Grouping For example, to create a protocol group for TCP, UDP, and ICMP, enter the following commands: hostname(config)# object-group protocol tcp_udp_icmp hostname(config-protocol)# protocol-object tcp hostname(config-protocol)# protocol-object udp hostname(config-protocol)# protocol-object icmp Adding a Network Object Group To add or change a network object group, follow these steps.
Chapter 13 Identifying Traffic with Access Lists Simplifying Access Lists with Object Grouping To add a service group, follow these steps: Step 1 To add a service group, enter the following command: hostname(config)# object-group service grp_id {tcp | udp | tcp-udp} The grp_id is a text string up to 64 characters in length. Specify the protocol for the services (ports) you want to add, either tcp, udp, or tcp-udp keywords.
Chapter 13 Identifying Traffic with Access Lists Simplifying Access Lists with Object Grouping Step 2 (Optional) To add a description, enter the following command: hostname(config-icmp-type)# description text The description can be up to 200 characters. Step 3 To define the ICMP types in the group, enter the following command for each type: hostname(config-icmp-type)# icmp-object icmp_type See the “ICMP Types” section on page D-15 for a list of ICMP types.
Chapter 13 Identifying Traffic with Access Lists Simplifying Access Lists with Object Grouping You then nest all three groups together as follows: hostname(config)# object-group network hostname(config-network)# group-object hostname(config-network)# group-object hostname(config-network)# group-object admin eng hr finance You only need to specify the admin object group in your ACE as follows: hostname(config)# access-list ACL_IN extended permit ip object-group admin host 209.165.201.
Chapter 13 Identifying Traffic with Access Lists Simplifying Access Lists with Object Grouping If you make two network object groups, one for the inside hosts, and one for the web servers, then the configuration can be simplified and can be easily modified to add more hosts: hostname(config)# object-group network denied hostname(config-network)# network-object host 10.1.1.4 hostname(config-network)# network-object host 10.1.1.78 hostname(config-network)# network-object host 10.1.1.
Chapter 13 Identifying Traffic with Access Lists Adding Remarks to Access Lists Adding Remarks to Access Lists You can include remarks about entries in any access list, including extended, EtherType, and standard access lists. The remarks make the access list easier to understand.
Chapter 13 Identifying Traffic with Access Lists Logging Access List Activity Access List Logging Overview By default, when traffic is denied by an extended ACE or a Webtype ACE, the security appliance generates system message 106023 for each denied packet, in the following form: %PIX-4-106023: Deny protocol src [interface_name:source_address/source_port] dst interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_id If the security appliance is attacked, the number of syst
Chapter 13 Identifying Traffic with Access Lists Logging Access List Activity Configuring Logging for an Access Control Entry To configure logging for an ACE, see the following information about the log option: hostname(config)# access-list access_list_name [extended] {deny | permit}...[log [[level] [interval secs] | disable | default]] See the “Adding an Extended Access List” section on page 13-9 for complete access-list command syntax.
Chapter 13 Identifying Traffic with Access Lists Logging Access List Activity Managing Deny Flows When you enable logging for message 106100, if a packet matches an ACE, the security appliance creates a flow entry to track the number of packets received within a specific interval. The security appliance has a maximum of 32 K logging flows for ACEs. A large number of flows can exist concurrently at any point of time.
Chapter 13 Identifying Traffic with Access Lists Logging Access List Activity Cisco Security Appliance Command Line Configuration Guide 13-24 OL-6721-01
C H A P T E R 14 Applying NAT This chapter describes Network Address Translation (NAT). In routed firewall mode, the security appliance can perform NAT between each network. Note In transparent firewall mode, the security appliance does not support NAT.
Chapter 14 Applying NAT NAT Overview Introduction to NAT Address translation substitutes the real address in a packet with a mapped address that is routable on the destination network. NAT is comprised of two steps: the process in which a real address is translated into a mapped address, and then the process to undo translation for returning traffic. The security appliance translates an address when a NAT rule matches the traffic. If no NAT rule matches, processing for the packet continues.
Chapter 14 Applying NAT NAT Overview Figure 14-1 NAT Example Web Server www.cisco.com Outside 209.165.201.2 Originating Packet Security Appliance Translation 10.1.2.27 209.165.201.10 Responding Packet Undo Translation 209.165.201.10 10.1.2.27 10.1.2.1 10.1.2.27 130023 Inside See the following commands for this example: hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.1-209.165.201.
Chapter 14 Applying NAT NAT Overview Interfaces at the same security level are not required to use NAT to communicate. However, if you configure dynamic NAT or PAT on a same security interface, then all traffic from the interface to a same security interface or an outside interface must match a NAT rule (see Figure 14-3). Figure 14-3 NAT Control and Same Security Traffic Security Appliance Security Appliance 10.1.1.1 Dyn. NAT 10.1.1.1 No NAT 209.165.201.1 10.1.1.1 10.1.2.
Chapter 14 Applying NAT NAT Overview NAT Types This section describes the available NAT types. You can implement address translation as dynamic NAT, Port Address Translation, static NAT, or static PAT or as a mix of these types. You can also configure rules to bypass NAT, for example, if you enable NAT control but do not want to perform NAT.
Chapter 14 Applying NAT NAT Overview Figure 14-6 shows a remote host attempting to initiate a connection to a mapped address. This address is not currently in the translation table, so the security appliance drops the packet. Figure 14-6 Remote Host Attempts to Initiate a Connection to a Mapped Address Web Server www.example.com Outside 209.165.201.2 Security Appliance 209.165.201.10 10.1.2.1 132217 Inside 10.1.2.
Chapter 14 Applying NAT NAT Overview After the connection expires, the port translation also expires after 30 seconds of inactivity. The timeout is not configurable. Users on the destination network cannot reliably initiate a connection to a host that uses PAT (even if the connection is allowed by an access list). Not only can you not predict the real or mapped port number of the host, but the security appliance does not create a translation at all unless the translated host is the initiator.
Chapter 14 Applying NAT NAT Overview For example, if you want to provide a single address for remote users to access FTP, HTTP, and SMTP, but these are all actually different servers on the real network, you can specify static PAT statements for each server that uses the same mapped IP address, but different ports (see Figure 14-7). Figure 14-7 Static PAT Host Undo Translation 209.165.201.3:21 10.1.2.27 Outside Undo Translation 209.165.201.3:25 10.1.2.29 Undo Translation 209.165.201.3:80 10.1.2.
Chapter 14 Applying NAT NAT Overview Bypassing NAT when NAT Control is Enabled If you enable NAT control, then inside hosts must match a NAT rule when accessing outside hosts. If you do not want to perform NAT for some hosts, then you can bypass NAT for those hosts (alternatively, you can disable NAT control).
Chapter 14 Applying NAT NAT Overview Figure 14-8 shows a host on the 10.1.2.0/24 network accessing two different servers. When the host accesses the server at 209.165.201.11, the real address is translated to 209.165.202.129. When the host accesses the server at 209.165.200.225, the real address is translated to 209.165.202.130 so that the host appears to be on the same network as the servers, which can help with routing. Figure 14-8 Policy NAT with Different Destination Addresses Server 1 209.165.201.
Chapter 14 Applying NAT NAT Overview Figure 14-9 shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses a single host for both web services and Telnet services. When the host accesses the server for web services, the real address is translated to 209.165.202.129. When the host accesses the same server for Telnet services, the real address is translated to 209.165.202.130. Figure 14-9 Policy NAT with Different Destination Ports Web and Telnet server: 209.165.201.
Chapter 14 Applying NAT NAT Overview Figure 14-10 shows a remote host connecting to a translated host. The translated host has a policy static NAT translation that translates the real address only for traffic to and from the 209.165.201.0/27 network. A translation does not exist for the 209.165.200.224/27 network, so the translated host cannot connect to that network, nor can a host on that network connect to the translated host. Figure 14-10 Policy Static NAT with Destination Address Translation 209.
Chapter 14 Applying NAT NAT Overview Note The security appliance does not support VoIP inspection engines when you configure NAT on same security interfaces. These inspection engines include Skinny, SIP, and H.323. See the “Application Inspection Engines” section on page 21-1 for supported inspection engines. Order of NAT Commands Used to Match Real Addresses The security appliance matches real addresses to NAT commands in the following order: 1.
Chapter 14 Applying NAT NAT Overview DNS and NAT You might need to configure the security appliance to modify DNS replies by replacing the address in the reply with an address that matches the NAT configuration. You can configure DNS modification when you configure each translation. For example, a DNS server is accessible from the outside interface. A server, ftp.cisco.com, is on the inside interface. You configure the security appliance to statically translate the ftp.cisco.com real address (10.1.3.
Chapter 14 Applying NAT Configuring NAT Control Figure 14-12 shows a web server and DNS server on the outside. The security appliance has a static translation for the outside server. In this case, when an inside user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.20.10. Because you want inside users to use the mapped address for ftp.cisco.com (10.1.2.56) you need to configure DNS reply modification for the static translation.
Chapter 14 Applying NAT Using Dynamic NAT and PAT Using Dynamic NAT and PAT This section describes how to configure dynamic NAT and PAT, and includes the following topics: • Dynamic NAT and PAT Implementation, page 14-16 • Configuring Dynamic NAT or PAT, page 14-22 Dynamic NAT and PAT Implementation For dynamic NAT and PAT, you first configure a nat command identifying the real addresses on a given interface that you want to translate.
Chapter 14 Applying NAT Using Dynamic NAT and PAT You can enter a nat command for each interface using the same NAT ID; they all use the same global command when traffic exits a given interface. For example, you can configure nat commands for Inside and DMZ interfaces, both on NAT ID 1. Then you configure a global command on the Outside interface that is also on ID 1.
Chapter 14 Applying NAT Using Dynamic NAT and PAT You can also enter a global command for each interface using the same NAT ID. If you enter a global command for the Outside and DMZ interfaces on ID 1, then the Inside nat command identifies traffic to be translated when going to both the Outside and the DMZ interfaces. Similarly, if you also enter a nat command for the DMZ interface on ID 1, then the global command on the Outside interface is also used for DMZ traffic. (See Figure 14-15).
Chapter 14 Applying NAT Using Dynamic NAT and PAT Figure 14-16 Different NAT IDs Web Server: www.cisco.com Outside Global 1: 209.165.201.3209.165.201.10 Global 2: 209.165.201.11 Security Appliance 192.168.1.14 Translation 209.165.201.11:4567 NAT 1: 10.1.2.0/24 Translation 10.1.2.27 209.165.201.3 NAT 2: 192.168.1.0/24 Inside 130025 10.1.2.27 192.168.1.14 See the following commands for this example: hostname(config)# hostname(config)# hostname(config)# hostname(config)# nat (inside) 1 10.1.2.
Chapter 14 Applying NAT Using Dynamic NAT and PAT Figure 14-17 NAT and PAT Together Web Server: www.cisco.com Translation 10.1.2.27 209.165.201.3 Outside Global 1: 209.165.201.3209.165.201.4 Global 1: 209.165.201.5 10.1.2.29 Translation 209.165.201.5:6096 Translation 10.1.2.28 209.165.201.4 NAT 1: 10.1.2.0/24 Inside 10.1.2.29 130026 10.1.2.27 10.1.2.28 See the following commands for this example: hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0 hostname(config)# global (outside) 1 209.
Chapter 14 Applying NAT Using Dynamic NAT and PAT Figure 14-18 Outside NAT and Inside NAT Combined Outside Translation 10.1.1.15 209.165.201.4 Global 1: 209.165.201.3209.165.201.10 Outside NAT 1: 10.1.1.0/24 NAT 1: 10.1.1.0/24 DMZ 10.1.1.15 Global 1: 10.1.2.3010.1.2.40 Static to DMZ: 10.1.2.27 10.1.1.5 Translation 10.1.1.15 10.1.2.30 Inside 130038 Undo Translation 10.1.1.5 10.1.2.27 10.1.2.
Chapter 14 Applying NAT Using Dynamic NAT and PAT Configuring Dynamic NAT or PAT This section describes how to configure dynamic NAT or dynamic PAT. The configuration for dynamic NAT and PAT are almost identical; for NAT you specify a range of mapped addresses, and for PAT you specify a single address. Figure 14-19 shows a typical dynamic NAT scenario. Only translated hosts can create a NAT session, and responding traffic is allowed back.
Chapter 14 Applying NAT Using Dynamic NAT and PAT To configure dynamic NAT or PAT, perform the following steps: Step 1 To identify the real addresses that you want to translate, enter one of the following commands: • Policy NAT: hostname(config)# nat (real_interface) nat_id access-list acl_name [dns] [outside | [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]] You can identify overlapping addresses in other nat commands. For example, you can identify 10.1.1.0 in one command, but 10.
Chapter 14 Applying NAT Using Dynamic NAT and PAT Step 2 To identify the mapped address(es) to which you want to translate the real addresses when they exit a particular interface, enter the following command: hostname(config)# global (mapped_interface) nat_id {mapped_ip[-mapped_ip] | interface} This NAT ID should match a nat command NAT ID. The matching nat command identifies the addresses that you want to translate when they exit this interface.
Chapter 14 Applying NAT Using Static NAT Using Static NAT This section describes how to configure a static translation. Figure 14-21 shows a typical static NAT scenario. The translation is always active so both translated and remote hosts can originate connections, and the mapped address is statically assigned by the static command. Figure 14-21 Static NAT 10.1.1.1 209.165.201.1 10.1.1.2 209.165.201.
Chapter 14 Applying NAT Using Static PAT • To configure regular static NAT, enter the following command: hostname(config)# static (real_interface,mapped_interface) {mapped_ip | interface} real_ip [netmask mask] [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] See the “Configuring Dynamic NAT or PAT” section on page 14-22 for information about the options.
Chapter 14 Applying NAT Using Static PAT For example, configure the following static PAT command: static (inside,outside) tcp 192.150.49.10 21 10.1.1.10 21 Then, the security appliance automatically enacts the following nat and global commands. These internal rules are not added to your configuration, and you cannot alter them at the CLI. nat (inside) system-internal-id 10.1.1.10 global (outside) system-internal-id 192.150.49.
Chapter 14 Applying NAT Using Static PAT For example, for Telnet traffic initiated from hosts on the 10.1.3.0 network to the security appliance outside interface (10.1.2.14), you can redirect the traffic to the inside host at 10.1.1.15 by entering the following commands: hostname(config)# access-list TELNET permit tcp host 10.1.1.15 eq telnet 10.1.3.0 255.255.255.0 eq telnet hostname(config)# static (inside,outside) tcp 10.1.2.14 telnet access-list TELNET For HTTP traffic initiated from hosts on the 10.
Chapter 14 Applying NAT Bypassing NAT Bypassing NAT This section describes how to bypass NAT. You might want to bypass NAT when you enable NAT control. You can bypass NAT using identity NAT, static identity NAT, or NAT exemption. See the “Bypassing NAT when NAT Control is Enabled” section on page 14-9 for more information about these methods.
Chapter 14 Applying NAT Bypassing NAT Configuring Static Identity NAT Static identity NAT translates the real IP address to the same IP address. The translation is always active, and both “translated” and remote hosts can originate connections. Static identity NAT lets you use regular NAT or policy NAT. Policy NAT lets you identify the real and destination addresses when determining the real addresses to translate (see the “Policy NAT” section on page 14-9 for more information about policy NAT).
Chapter 14 Applying NAT Bypassing NAT For example, the following command uses static identity NAT for an inside IP address (10.1.1.3) when accessed by the outside: hostname(config)# static (inside,outside) 10.1.1.3 10.1.1.3 netmask 255.255.255.255 The following command uses static identity NAT for an outside address (209.165.201.15) when accessed by the inside: hostname(config)# static (outside,inside) 209.165.201.15 209.165.201.15 netmask 255.255.255.
Chapter 14 Applying NAT NAT Examples Create the access list using the access-list command (see the “Adding an Extended Access List” section on page 13-9). This access list should include only permit ACEs. Do not specify the real and destination ports in the access list; NAT exemption does not consider the ports. NAT exemption also does not consider the inactive or time-range keywords; all ACEs are considered to be active for NAT exemption configuration.
Chapter 14 Applying NAT NAT Examples Overlapping Networks In Figure 14-26, the security appliance connects two private networks with overlapping address ranges. Figure 14-26 Using Outside NAT with Overlapping Networks 192.168.100.2 192.168.100.2 outside inside 192.168.100.0/24 192.168.100.3 dmz 192.168.100.0/24 10.1.1.1 192.168.100.3 130029 192.168.100.1 10.1.1.2 Two networks use an overlapping address space (192.168.100.
Chapter 14 Applying NAT NAT Examples The security appliance already has a connected route for the inside network. These static routes allow the security appliance to send traffic for the 192.168.100.0/24 network out the DMZ interface to the gateway router at 10.1.1.2. (You need to split the network into two because you cannot create a static route with the exact same network as a connected route.) Alternatively, you could use a more broad route for the DMZ traffic, such as a default route. If host 192.
Chapter 14 Applying NAT NAT Examples To implement this scenario, perform the following steps: Step 1 Configure PAT for the inside network by entering the following commands: hostname(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0 hostname(config)# global (outside) 1 209.165.201.15 Step 2 Redirect Telnet requests for 209.165.201.5 to 10.1.1.6 by entering the following command: hostname(config)# static (inside,outside) tcp 209.165.201.5 telnet 10.1.1.6 telnet netmask 255.255.255.
Chapter 14 Applying NAT NAT Examples Cisco Security Appliance Command Line Configuration Guide 14-36 OL-6721-01
C H A P T E R 15 Permitting or Denying Network Access This chapter describes how to control network access through the security appliance using access lists. To create an extended access lists or an EtherType access list, see Chapter 13, “Identifying Traffic with Access Lists.” Note You use ACLs to control network access in both routed and transparent firewall modes. In transparent mode, you can use both extended ACLs (for Layer 3 traffic) and EtherType ACLs (for Layer 2 traffic).
Chapter 15 Permitting or Denying Network Access Inbound and Outbound Access List Overview You might want to use an outbound access list to simplify your access list configuration. For example, if you want to allow three inside networks on three different interfaces to access each other, you can create a simple inbound access list that allows all traffic on each inside interface (see Figure 15-1). Figure 15-1 Inbound Access Lists Web Server: 209.165.200.
Chapter 15 Permitting or Denying Network Access Inbound and Outbound Access List Overview Then, if you want to allow only certain hosts on the inside networks to access a web server on the outside network, you can create a more restrictive access list that allows only the specified hosts and apply it to the outbound direction of the outside interface (see Figure 15-1). See the “IP Addresses Used for Access Lists When You Use NAT” section on page 13-7 for information about NAT and IP addresses.
Chapter 15 Permitting or Denying Network Access Applying an Access List to an Interface Applying an Access List to an Interface To apply an extended access list to the inbound or outbound direction of an interface, enter the following command: hostname(config)# access-group access_list_name {in | out} interface interface_name [per-user-override] You can apply one access list of each type (extended and EtherType) to both directions of the interface.
Chapter 15 Permitting or Denying Network Access Applying an Access List to an Interface The following access list denies traffic with EtherType 0x1256 but allows all others on both interfaces: hostname(config)# hostname(config)# hostname(config)# hostname(config)# access-list nonIP ethertype deny 1256 access-list nonIP ethertype permit any access-group ETHER in interface inside access-group ETHER in interface outside Cisco Security Appliance Command Line Configuration Guide OL-6721-01 15-5
Chapter 15 Permitting or Denying Network Access Applying an Access List to an Interface Cisco Security Appliance Command Line Configuration Guide 15-6 OL-6721-01
C H A P T E R 16 Applying AAA for Network Access This chapter describes how to enable AAA (pronounced “triple A”) for network access.
Chapter 16 Applying AAA for Network Access Configuring Authentication for Network Access Authentication Overview The security appliance lets you configure network access authentication using AAA servers. A user at a given IP address only needs to authenticate one time for all rules and types, until the authentication session expires. (See the timeout uauth command in the Cisco Security Appliance Command Reference for timeout values.
Chapter 16 Applying AAA for Network Access Configuring Authentication for Network Access Enabling Network Access Authentication To enable network access authentication, perform the following steps: Step 1 Using the aaa-server command, identify your AAA servers. If you have already identified your AAA servers, continue to the next step. For more information about identifying AAA servers, see the “Identifying AAA Server Groups and Servers” section on page 10-11.
Chapter 16 Applying AAA for Network Access Configuring Authentication for Network Access The following commands authenticate Telnet traffic from the outside interface to a particular server (209.165.201.5): hostname/contexta(config)# aaa-server AuthInbound protocol tacacs+ hostname/contexta(config-aaa-server-group)# exit hostname/contexta(config)# aaa-server AuthInbound (inside) host 10.1.1.
Chapter 16 Applying AAA for Network Access Configuring Authentication for Network Access Note The Cisco Systems text field shown in this example was customized using the auth-prompt command. For the detailed syntax of this command refer to the Cisco Security Appliance Command Reference. If you do not enter a string using the auth-prompt command, this field will be blank. After the user enters a valid username and password, an “Authentication Successful” page appears and closes automatically.
Chapter 16 Applying AAA for Network Access Configuring Authorization for Network Access Configuring Authorization for Network Access After a user authenticates for a given connection, the security appliance can use authorization to further control traffic from the user.
Chapter 16 Applying AAA for Network Access Configuring Authorization for Network Access Step 3 To enable authorization, enter the following command: hostname/contexta(config)# aaa authorization match acl_name interface_name server_group where acl_name is the name of the ACL you created in Step 2, interface_name is the name of the interface as specified with the nameif command or by default, and server_group is the AAA server group you created when you enabled authentication.
Chapter 16 Applying AAA for Network Access Configuring Authorization for Network Access This section includes the following topics: • Configuring a RADIUS Server to Download Per-User Access Control Lists, page 16-8 • Configuring a RADIUS Server to Download Per-User Access Control List Names, page 16-10 Configuring a RADIUS Server to Download Per-User Access Control Lists This section describes how to configure Cisco Secure ACS or a third-party RADIUS server, and includes the following topics: • Conf
Chapter 16 Applying AAA for Network Access Configuring Authorization for Network Access The downloaded ACL on the security appliance consists of the following lines: access-list access-list access-list access-list access-list access-list access-list access-list access-list access-list #ACSACL#-ip-acs_ten_acl-3b5385f7 #ACSACL#-ip-acs_ten_acl-3b5385f7 #ACSACL#-ip-acs_ten_acl-3b5385f7 #ACSACL#-ip-acs_ten_acl-3b5385f7 #ACSACL#-ip-acs_ten_acl-3b5385f7 #ACSACL#-ip-acs_ten_acl-3b5385f7 #ACSACL#-ip-acs_ten_acl-3
Chapter 16 Applying AAA for Network Access Configuring Accounting for Network Access Downloaded ACLs have two spaces between the word “access-list” and the name. These spaces serve to differentiate a downloaded ACL from a local ACL. In this example, “79AD4A08” is a hash value generated by the security appliance to help determine when ACL definitions have changed on the RADIUS server.
Chapter 16 Applying AAA for Network Access Using MAC Addresses to Exempt Traffic from Authentication and Authorization Step 3 To enable accounting, enter the following command: hostname/contexta(config)# aaa accounting match acl_name interface_name server_group Note Alternatively, you can use the aaa accounting include command (which identifies traffic within the command) but you cannot use both methods in the same configuration. See the Cisco Security Appliance Command Reference for more information.
Chapter 16 Applying AAA for Network Access Using MAC Addresses to Exempt Traffic from Authentication and Authorization To use MAC addresses to exempt traffic from authentication and authorization, perform the following steps: Step 1 To configure a MAC list, enter the following command: hostname/contexta(config)# mac-list id {deny | permit} mac macmask where id is the hexadecimal number that you assign to the MAC list, mac is the MAC address of the computer whose traffic you want to permit or deny, and
C H A P T E R 17 Applying Filtering Services This chapter describes ways to filter web traffic to reduce security risks or prevent inappropriate use.
Chapter 17 Applying Filtering Services Filtering ActiveX Objects Filtering ActiveX Objects This section describes how to apply filtering to remove ActiveX objects from HTTP traffic passing through the firewall. This section includes the following topics: • Overview, page 17-2 • Enabling ActiveX Filtering, page 17-2 Overview ActiveX objects may pose security risks because they can contain code intended to attack hosts and servers on a protected network.
Chapter 17 Applying Filtering Services Filtering Java Applets This command specifies that the ActiveX object blocking applies to web traffic on port 80 from any local host and for connections to any foreign host. To remove the configuration, use the no form of the command, as in the following example: hostname(config)# no filter activex 80 0 0 0 0 Filtering Java Applets This section describes how to apply filtering to remove Java applets from HTTP traffic passing through the firewall.
Chapter 17 Applying Filtering Services Filtering with an External Server The following example blocks downloading of Java applets to a host on a protected network: hostname(config)# filter java http 192.168.3.3 255.255.255.255 0 0 This command prevents host 192.168.3.3 from downloading Java applets. To remove the configuration, use the no form of the command, as in the following example: hostname(config)# no filter java http 192.168.3.3 255.255.255.
Chapter 17 Applying Filtering Services Filtering with an External Server General Procedure The following steps summarize the procedure for enabling filtering with an external filtering server. To enable filtering with an external filtering server, perform the following steps: Step 1 Identify the filtering server. Refer to the following section: Identifying the Filtering Server, page 17-5 Step 2 (Optional) Buffer responses from the content server.
Chapter 17 Applying Filtering Services Filtering with an External Server Replace if_name with the name of the security appliance interface that is connected to the filtering server (the default is inside). Replace local_ip with the IP address of the filtering server. Replace seconds with the number of seconds the security appliance should keep trying to connect to the filtering server. Note The default port is 4005.
Chapter 17 Applying Filtering Services Filtering HTTP URLs Caching Server Addresses After a user accesses a site, the filtering server can allow the security appliance to cache the server address for a certain amount of time, as long as every site hosted at the address is in a category that is permitted at all times. Then, when the user accesses the server again, or if another user accesses the server, the security appliance does not need to consult the filtering server again.
Chapter 17 Applying Filtering Services Filtering HTTPS URLs The allow option causes the security appliance to forward HTTP traffic without filtering when the primary filtering server is unavailable. Use the proxy-block command to drop all requests to proxy servers. Enabling Filtering of Long HTTP URLs By default, the security appliance considers an HTTP URL to be a long URL if it is greater than 1159 characters. For Websense servers, you can increase the maximum length allowed.
Chapter 17 Applying Filtering Services Filtering FTP Requests Because HTTPS content is encrypted, the security appliance sends the URL lookup without directory and filename information. When the filtering server approves an HTTPS connection request, the security appliance allows the completion of SSL connection negotiation and allows the reply from the web server to reach the originating client.
Chapter 17 Applying Filtering Services Viewing Filtering Statistics and Configuration Viewing Filtering Statistics and Configuration This section describes how to monitor filtering statistics.
Chapter 17 Applying Filtering Services Viewing Filtering Statistics and Configuration The following is sample output from the show url-block command: hostname# show url-block url-block url-mempool 128 url-block url-size 4 url-block block 128 This shows the configuration of the URL block buffer.
Chapter 17 Applying Filtering Services Viewing Filtering Statistics and Configuration This shows URL filtering performance statistics, along with other performance statistics. The filtering statistics are shown in the URL Access and URL Server Req rows. Viewing Filtering Configuration The following is sample output from the show filter command: hostname# show filter filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.
C H A P T E R 18 Using Modular Policy Framework This chapter describes how to use Modular Policy Framework to create security policies for TCP and general connection settings, inspection, and QoS.
Chapter 18 Using Modular Policy Framework Identifying Traffic Using a Class Map 3. Finally, create a security policy by associating the policy map with one or more interfaces using the service-policy global configuration command. Associating a policy map with an interface activates the policy. Identifying Traffic Using a Class Map A traffic class is a set of traffic that is identified by the packet content.
Chapter 18 Using Modular Policy Framework Identifying Traffic Using a Class Map Table 18-1 Class-map Configuration Mode Commands (continued) Command Description match tunnel-group Specifies to match security related tunnel groups. Note that matching on tunnel groups is used with QoS configurations only. match flow Specifies to match every flow based on unique IP destination address. match default-inspection-traffic Specifies to match default traffic for the inspect commands.
Chapter 18 Using Modular Policy Framework Defining Actions Using a Policy Map The following example uses the access-list option to assign traffic identified by the access control entries in the http_acl access list: hostname(config-cmap)# match access-list http_acl You can also use the match command to identify traffic based on IP precedence, DSCP (QoS) value, RTP port, or tunnel group. For the complete syntax of the match command refer to the Cisco Security Appliance Command Reference.
Chapter 18 Using Modular Policy Framework Defining Actions Using a Policy Map Policy Map Procedure To define a policy map, assign a name to the policy with the policy-map command and then list one or more class maps and one or more actions that should be taken on packets that belong to the given traffic class.
Chapter 18 Using Modular Policy Framework Defining Actions Using a Policy Map For more information about configuring inspection actions for Modular Policy Framework, see Chapter 21, “Applying Application Layer Protocol Inspection.” For more information about configuring IPS actions for Modular Policy Framework, see Chapter 19, “Intercepting and Responding to Network Attacks.” For more information about configuring QoS actions for Modular Policy Framework, see Chapter 20, “Applying QoS Policies.
Chapter 18 Using Modular Policy Framework Defining Actions Using a Policy Map Restrictions If there is no match default_inspection_traffic or match tunnel-group command in a class map, then at most one inspect command is allowed to be configured under the class. For example, the following class map can be associated with no more than one inspection action.
Chapter 18 Using Modular Policy Framework Defining Actions Using a Policy Map hostname(config)# class-map high_priority_traffic hostname(config-cmap)# match dscp AF1 AF2 hostname(config)# policy-map outside_policy hostname(config-pmap)# class inspection_default hostname(config-pmap-c)# inspect http http_map hostname(config-pmap-c)# inspect sip hostname(config-pmap)# class http_traffic hostname(config-pmap-c)# set connection timeout tcp 0:10:0 hostname(config-pmap)# class high_priority_traffic hostname(co
Chapter 18 Using Modular Policy Framework Defining Actions Using a Policy Map hostname(config)# policy-map hostname(config-pmap)# class hostname(config-pmap-c)# set hostname(config-pmap-c)# set hostname(config-pmap)# class hostname(config-pmap-c)# set hostname(config-pmap-c)# set hostname(config-pmap)# class hostname(config-pmap-c)# set hostname(config-pmap-c)# set hostname(config-pmap)# class hostname(config-pmap-c)# set global_policy telnet_traffic connection timeout tcp 0:0:0 connection conn-max 100 f
Chapter 18 Using Modular Policy Framework Applying a Policy to an Interface Using a Service Policy Note If there are multiple instances of the same type configured in a policy map, only the first matched instance of that action will be performed. Advanced Options Advanced options vary from protocol to protocol, and are configured using the xxx-map commands when applicable, where xxx stands for the name of the protocol.
Chapter 18 Using Modular Policy Framework Direction Policies When Applying a Service Policy Types of Direction Policies There are three types of policies when considering which traffic direction to classify traffic: • Input (or ingress) • Output (or egress) • Bidirectional (both ingress and egress) An input policy on an interface means that classification is applied to traffic that enters the security appliance through an interface.
Chapter 18 Using Modular Policy Framework Direction Policies When Applying a Service Policy Using Figure 18-1, where Host A is located on outside and Host B is located on inside, all HTTP connections initiated from Host A and destined to Host B will be classified for HTTP inspection and priority queueing. However, all HTTP connections initiated from Host B and destined to Host A will be classified for HTTP inspection only.
Chapter 18 Using Modular Policy Framework Direction Policies When Applying a Service Policy Figure 18-2 Match Access List/Interface Policy Topology Security appliance Host A outside SERVER_B inside policy http_client policy http_server A B/80 B D A/80 C/80 C D/80 inspection set connection limit not classified inspection police not classified CLIENT_D (output rule of bidirectional policy) (output rule of bidirectional policy) (does not match the specified access list http_server) (output rule
Chapter 18 Using Modular Policy Framework Direction Policies When Applying a Service Policy Figure 18-3 Match Port/Global Policy Topology Security appliance A outside inside Host A Host B A B/80 B A/80 inspection (input policy on 'outside' when service policy is global) police (output policy on 'inside' interface) inspection (input policy on 'inside' when service policy is global) police (output policy on 'outside' interface) 126993 global See the following commands for this example: hostname
Chapter 18 Using Modular Policy Framework Direction Policies When Applying a Service Policy Figure 18-4 Service Policy and NAT Topology Security appliance outside inside policy http_client CLIENT_D_REAL 126994 Host C See the following commands for this example: hostname(config)# static (inside, outside) CLIENT_D_GLOBAL CLIENT_D_REAL hostname(config)# access-list http_client permit tcp host CLIENT_D_GLOBAL any eq 80 hostname(config)# class-map http_client hostname(config-cmap)# match access-list htt
Chapter 18 Using Modular Policy Framework Direction Policies When Applying a Service Policy Cisco Security Appliance Command Line Configuration Guide 18-16 OL-6721-01
C H A P T E R 19 Intercepting and Responding to Network Attacks This chapter describes how to configure protection features to intercept and respond to network attacks. These features include sending traffic to an AIP SSM, limiting TCP and UDP connections, configuring TCP normalization, and many other protection features.
Chapter 19 Intercepting and Responding to Network Attacks Configuring TCP Normalization Configuring TCP Normalization TCP normalization is a feature consisting of advanced TCP connection settings designed to drop packets that do not appear normal. It is used with Modular Policy Framework to create a security policy applied to the security appliance. Once a TCP map is created, it is applied using the policy-map command, and activated using the service-policy command.
Chapter 19 Intercepting and Responding to Network Attacks Protecting Your Network Against Specific Attacks Step 4 To activate the policy map globally, enter the following command: hostname(config)# service-policy pmap global Step 5 To show the TCP map statistics, enter the following command: hostname# show service-policy set connection Protecting Your Network Against Specific Attacks This section describes how to configure protection from certain attacks.
Chapter 19 Intercepting and Responding to Network Attacks Protecting Your Network Against Specific Attacks Configuring Connection Limits and Timeouts This section describes how to set maximum TCP and UDP connections, maximum embryonic connections, connection timeouts, and how to disable TCP sequence randomization. Limiting the number of connections and embryonic connections protects you from a DoS attack.
Chapter 19 Intercepting and Responding to Network Attacks Protecting Your Network Against Specific Attacks The half-closed hh[:mm[:ss] and tcp hh[:mm[:ss] values are a time between 0:5:0 and 1192:59:59. The default for half-closed is 0:10:0 and the default for tcp is 1:0:0. You can also set these values to 0, which means the connection never times out. You can enter this command all on one line (in any order), or you can enter each attribute as a separate command.
Chapter 19 Intercepting and Responding to Network Attacks Protecting Your Network Against Specific Attacks If you enter only the source IP address, then all future connections are shunned; existing connections remain active. To drop an existing connection, as well as blocking future connections from the source IP address, enter the destination IP address, source and destination ports, and the protocol. By default, the protocol is 0 for IP.
C H A P T E R 20 Applying QoS Policies This chapter describes how to apply QoS policies, and contains the following sections: • Overview, page 20-1 • QoS Concepts, page 20-2 • Identifying Traffic for QoS, page 20-3 • Classifying Traffic for QoS, page 20-4 • Defining a QoS Policy Map, page 20-6 • Applying Rate Limiting, page 20-6 • Activating the Service Policy, page 20-9 • Applying Low Latency Queueing, page 20-9 • Viewing QoS Statistics, page 20-11 • Viewing the Priority-Queue Configur
Chapter 20 Applying QoS Policies QoS Concepts Note A flow can be defined in a number of ways. In the security appliance, QoS can apply to a combination of source and destination IP addresses, source and destination port number, and the TOS byte of the IP header. QoS Concepts QoS is a traffic-management strategy that lets you allocate network resources for both mission-critical and normal data, based on the type of network traffic and the priority you assign to that traffic.
Chapter 20 Applying QoS Policies Identifying Traffic for QoS Identifying Traffic for QoS On the security appliance, the specification of a classification policy—that is, the definition of traffic classes, is separate from the specification of the policies that act on the results of the classification. In general, provisioning QoS policies requires the following steps: 1. Specifying traffic classes. 2. Associating actions with each traffic class to formulate policies. 3. Activating the policies.
Chapter 20 Applying QoS Policies Classifying Traffic for QoS The following example enables a default priority-queue with the default queue-limit and tx-ring-limit: priority-queue name-interface The following sections explain each of these uses in more detail. Classifying Traffic for QoS The class-map command classifies a set of traffic with which QoS actions are associated. You can use various types of match criteria to classify traffic.
Chapter 20 Applying QoS Policies Classifying Traffic for QoS hostname(config-cmap)# match tunnel-group tunnel-grp1 hostname(config-cmap)# match flow ip destination-address hostname(config-cmap)# exit hostname(config)# The following example shows a way of policing a flow within a tunnel, provided the classed traffic is not specified as a tunnel, but does go through the tunnel. In this example, 192.168.10.
Chapter 20 Applying QoS Policies Defining a QoS Policy Map Defining a QoS Policy Map The policy-map command configures various policies, such as security policies or QoS policies. A policy is an association of a traffic class, specified by a class command, and one or more actions. This section specifically deals with using the policy-map command to define the QoS policies for one or more classes of packets.
Chapter 20 Applying QoS Policies Applying Rate Limiting Note Policing is applied only in the output direction. You cannot enable both priority and policing together. If a service policy is applied or removed from an interface that has existing VPN client/LAN-to-LAN or non-tunneled traffic already established, the QoS policy is not applied or removed from the traffic stream. To apply or remove the QoS policy for such connections, you must clear (that is, drop) the connections and re-establish them.
Chapter 20 Applying QoS Policies Applying Rate Limiting Verifying the Traffic-Policing Configuration To verify that the traffic-policing feature is configured on an interface, use the following command in privileged EXEC mode: hostname# show running-config policy-map This command displays all configured traffic policies.
Chapter 20 Applying QoS Policies Activating the Service Policy Viewing QoS Priority-Queue Statistics To view the QoS priority-queue statistics, use the following command in privileged EXEC mode: hostname# show service-policy priority This command displays the QoS priority-queue statistics; for example: hostname# show service-policy priority Global policy: Service-policy: global_fw_policy Interface outside: Service-policy: qos Class-map: TG1-voice Priority: Interface outside: aggregate drop 0, aggregate t
Chapter 20 Applying QoS Policies Applying Low Latency Queueing Note The upper limit of the range of values for the queue-limit and tx-ring-limit commands is determined dynamically at run time. To view this limit, enter help or ? on the command line. The key determinants are the memory needed to support the queues and the memory available on the device. The range of queue-limit values is 0 through 2048 packets. The range of tx-ring-limit values is 3 through 128 packets.
Chapter 20 Applying QoS Policies Viewing QoS Statistics The following example establishes a priority queue on interface “outside” (the GigabitEthernet0/1 interface), with the default queue-limit and tx-ring-limit.
Chapter 20 Applying QoS Policies Viewing the Priority-Queue Configuration for an Interface Viewing the Priority-Queue Configuration for an Interface To display the priority-queue configuration for an interface, enter the show running-config priority-queue command in global configuration mode.
C H A P T E R 21 Applying Application Layer Protocol Inspection This chapter describes how to use and configure application inspection. This chapter includes the following sections: • Application Inspection Engines, page 21-1 • Applying Application Inspection to Selected Traffic, page 21-5 • Managing CTIQBE Inspection, page 21-10 • Managing FTP Inspection, page 21-14 • Managing GTP Inspection, page 21-19 • Managing H.
Chapter 21 Applying Application Layer Protocol Inspection Application Inspection Engines Overview The Adaptive Security Algorithm, used by the security appliance for stateful application inspection, ensures the secure use of applications and services. Some applications require special handling by the security appliance and specific application inspection engines are provided for this purpose.
Chapter 21 Applying Application Layer Protocol Inspection Application Inspection Engines In Figure 21-1, operations are numbered in the order they occur, and are described as follows: 1. A TCP SYN packet arrives at the security appliance to establish a new connection. 2. The security appliance checks the access list database to determine if the connection is permitted. 3. The security appliance creates a new entry in the connection database (XLATE and CONN tables). 4.
Chapter 21 Applying Application Layer Protocol Inspection Application Inspection Engines Table 21-1 Application Inspection Engines Application PAT? NAT (1-1)? Configure Port? Default Port Standards Comments CTIQBE Yes Yes Yes TCP/2748 — — Yes Yes No UDP/53 RFC 1123 Only forward NAT. No PTR records are changed. FTP Yes Yes Yes TCP/21 RFC 959 — GTP Yes Yes Yes UDP/3386 UDP/2123 — Requires a special license. H.323 Yes Yes Yes ITU-T H.323, TCP/1720 UDP/1718 H.245, H225.
Chapter 21 Applying Application Layer Protocol Inspection Applying Application Inspection to Selected Traffic Applying Application Inspection to Selected Traffic This section describes how to identify traffic to which you want to apply an inspection engine, how to associate the inspection engine with a particular security policy, and how to apply the policy to one or more interfaces on the security appliance.
Chapter 21 Applying Application Layer Protocol Inspection Applying Application Inspection to Selected Traffic Step 4 Create a security policy by associating the policy map with one or more interfaces by entering the service-policy command. A security policy associates a previously defined traffic class with a security-related action and applies it to a specific interface. You can associate more than one traffic class with a single action and more than one action with a specific traffic class.
Chapter 21 Applying Application Layer Protocol Inspection Applying Application Inspection to Selected Traffic Step 3 In the class map configuration mode, define the traffic to include in the class by entering the following command: hostname(config-cmap)# match any | access-list acl_ID | {port tcp | udp {eq port_num range port_num port_num}} | Use the any option to include all traffic in the traffic class. Use the access-list option to match the criteria defined in a specific access list.
Chapter 21 Applying Application Layer Protocol Inspection Applying Application Inspection to Selected Traffic Table 21-2 Step 5 Default Port Assignments (continued) Protocol Name Protocol Port rtsp tcp 554 sip tcp, udp 5060 skinny tcp 2000 smtp tcp 25 sqlnet tcp 1521 tftp udp 69 xdmcp udp 177 To return to global configuration mode, enter the following command: hostname(config-cmap)# exit hostname(config)# Using an Application Inspection Map Some application inspection engines
Chapter 21 Applying Application Layer Protocol Inspection Applying Application Inspection to Selected Traffic hostname(config-http-map)# strict-http hostname(config-http-map)# Step 3 Return to global configuration mode: hostname(config-http-map)# exit hostname(config)# Defining Actions with a Policy Map You use a policy map to associate a traffic class map with a specific action, such as application inspection for a particular protocol.
Chapter 21 Applying Application Layer Protocol Inspection Managing CTIQBE Inspection Step 5 To return to global configuration mode, enter the following command: hostname(config-pmap-c)# exit Applying a Security Policy to an Interface After defining the policy map, apply the policy map to one or more interfaces on the security appliance by entering the service-policy command in global configuration mode.
Chapter 21 Applying Application Layer Protocol Inspection Managing CTIQBE Inspection • Entering the debug ctiqbe command may delay message transmission, which may have a performance impact in a real-time environment. When you enable this debugging or logging and Cisco IP SoftPhone seems unable to complete call setup through the security appliance, increase the timeout values in the Cisco TSP settings on the system running Cisco IP SoftPhone.
Chapter 21 Applying Application Layer Protocol Inspection Managing CTIQBE Inspection The CLI enters the policy map configuration mode and the prompt changes accordingly, as follows: hostname(config-pmap)# Step 4 Specify the traffic class defined in Step 2 to be included in the policy map by entering the following command: hostname(config-pmap)# class class_map_name For example, the following command assigns the ctiqbe_port traffic class to the current policy map: hostname(config-pmap)# class ctiqbe_po
Chapter 21 Applying Application Layer Protocol Inspection Managing CTIQBE Inspection Verifying and Monitoring CTIQBE Inspection The show ctiqbe command displays information regarding the CTIQBE sessions established across the security appliance. It shows information about the media connections allocated by the CTIQBE inspection engine. The following is sample output from the show ctiqbe command under the following conditions. There is only one active CTIQBE session setup across the security appliance.
Chapter 21 Applying Application Layer Protocol Inspection Managing FTP Inspection B E G i M q R s - initial SYN from outside, C - CTIQBE media, D - DNS, d - dump, outside back connection, F - outside FIN, f - inside FIN, group, g - MGCP, H - H.323, h - H.225.
Chapter 21 Applying Application Layer Protocol Inspection Managing FTP Inspection After enabling the strict option on an interface, an ftp command must be acknowledged before a new command is allowed. Connections sending embedded commands are dropped. The strict option restricts an FTP server to generating the 227 command and restricts the FTP client to generating the PORT command. The 227 and PORT commands are further checked to ensure they do not appear in an error string.
Chapter 21 Applying Application Layer Protocol Inspection Managing FTP Inspection To change the default configuration for FTP inspection, perform the following steps: Step 1 Name the traffic class by entering the following command in global configuration mode: hostname(config)# class-map class_map_name Replace class_map_name with the name of the traffic class, as in the following example: hostname(config)# class-map ftp_port When you enter the class-map command, the CLI enters the class map configurat
Chapter 21 Applying Application Layer Protocol Inspection Managing FTP Inspection Step 5 Name the policy map by entering the following command: hostname(config)# policy-map policy_map_name Replace policy_map_name with the name of the policy map, as in the following example: hostname(config)# policy-map inbound_policy The CLI enters the policy map configuration mode and the prompt changes accordingly, as follows: hostname(config-pmap)# Step 6 Specify the traffic class defined in Step 1 to be included
Chapter 21 Applying Application Layer Protocol Inspection Managing FTP Inspection . Table 21-3 FTP Map request-command deny Options request-command deny Option Purpose appe Disallows the command that appends to a file. cdup Disallows the command that changes to the parent directory of the current working directory. dele Disallows the command that deletes a file on the server. get Disallows the client command for retrieving a file from the server.
Chapter 21 Applying Application Layer Protocol Inspection Managing GTP Inspection • The username, source IP address, destination IP address, NAT address, and the file operation are logged. • Audit record 201005 is generated if the secondary dynamic channel preparation failed due to memory shortage. In conjunction with NAT, the FTP application inspection translates the IP address within the application payload. This is described in detail in RFC 959.
Chapter 21 Applying Application Layer Protocol Inspection Managing GTP Inspection The UMTS is the commercial convergence of fixed-line telephony, mobile, Internet and computer technology. UTRAN is the networking protocol used for implementing wireless networks in this system. GTP allows multi-protocol packets to be tunneled through a UMTS/GPRS backbone between a GGSN, an SGSN and the UTRAN.
Chapter 21 Applying Application Layer Protocol Inspection Managing GTP Inspection The system enters GTP map configuration mode and the CLI prompt changes as in the following example: hostname(config-gtp-map)# hostname(config-gtp-)# exit hostname(config)# Step 5 (Optional) Change the default configuration as required by entering any of the supported GTP map configuration commands, summarized in Table 21-3. The default GTP map is used when you enable GTP without specifying a GTP map.
Chapter 21 Applying Application Layer Protocol Inspection Managing GTP Inspection Step 10 Return to global configuration mode by entering the following command: hostname(config-pmap)# exit hostname(config)# Step 11 Apply the policy map globally or to a specific interface by entering the following command: hostname(config)# service-policy policy_map_name [global | interface interface_ID Replace policy_map_name with the policy map you configured in Step 5, and identify all the interfaces with the globa
Chapter 21 Applying Application Layer Protocol Inspection Managing GTP Inspection Note Table 21-4 GTP Map Configuration Commands (continued) Command Description no Removes the specified configuration. request-queue Specifies the maximum requests allowed in the queue. timeout Specifies the idle timeout for the GSN, PDP context, requests, signaling connections, and tunnels. tunnel-limit Specifies the maximum number of tunnels allowed.
Chapter 21 Applying Application Layer Protocol Inspection Managing H.323 Inspection seq_tpdu_up: signal_sequence: upstream_signal_flow: downstream_signal_flow: RAupdate_flow: 0 0 0 0 0 seq_tpdu_down: upstream_data_flow: downstream_data_flow: 0 0 0 The PDP context is identified by the tunnel ID, which is a combination of the values for IMSI and NSAPI. A GTP tunnel is defined by two associated PDP contexts in different GSN nodes and is identified with a Tunnel ID.
Chapter 21 Applying Application Layer Protocol Inspection Managing H.323 Inspection An H.323 client may initially establish a TCP connection to an H.323 server using TCP port 1720 to request Q.931 call setup. As part of the call setup process, the H.323 terminal supplies a port number to the client to use for an H.245 TCP connection. In environments where H.323 gatekeeper is in use, the initial packet is transmitted using UDP. H.323 inspection monitors the Q.931 TCP connection to determine the H.
Chapter 21 Applying Application Layer Protocol Inspection Managing H.323 Inspection • It has been observed that when a NetMeeting client registers with an H.323 gatekeeper and tries to call an H.323 gateway that is also registered with the H.323 gatekeeper, the connection is established but no voice is heard in either direction. This problem is unrelated to the security appliance.
Chapter 21 Applying Application Layer Protocol Inspection Managing H.323 Inspection For example, the following command assigns the h323_port traffic class to the current policy map. hostname(config-pmap)# class h323_port The CLI enters the policy map class configuration mode and the prompt changes accordingly, as follows: hostname(config-pmap-c)# Step 5 To enable H.
Chapter 21 Applying Application Layer Protocol Inspection Managing H.323 Inspection Configuring H.225 Timeout Values To configure the idle time after which an H.225 signalling connection is closed, enter the following command: hostname(config)# timeout h225 The default is 1:00:00. To configure the idle time after which an H.323 control connection is closed, enter the following command: hostname(config)# timeout h323 The default is 0:05:00. Verifying and Monitoring H.
Chapter 21 Applying Application Layer Protocol Inspection Managing H.323 Inspection opened between them because they set “maintainConnection” to TRUE, so the session is kept open until they set it to FALSE again, or until the session times out based on the H.225 timeout value in your configuration. Monitoring H.245 Sessions The show h245 command displays information for H.245 sessions established across the security appliance by endpoints using slow start.
Chapter 21 Applying Application Layer Protocol Inspection Managing HTTP Inspection Managing HTTP Inspection This section describes how the HTTP inspection engine works and how you can change its configuration.
Chapter 21 Applying Application Layer Protocol Inspection Managing HTTP Inspection Note When you enable HTTP inspection with an HTTP map, strict HTTP inspection with the action reset and log is enabled by default. You can change the actions performed in response to inspection failure, but you cannot disable strict inspection as long as the HTTP map remains enabled.
Chapter 21 Applying Application Layer Protocol Inspection Managing HTTP Inspection Step 5 Return to global configuration mode by entering the following command: hostname(config-http-map)# exit hostname(config)# Step 6 Name the policy map by entering the following command: hostname(config)# policy-map policy_map_name Replace policy_map_name with the name of the policy map, as in the following example: hostname(config)# policy-map inbound_policy The CLI enters the policy map configuration mode and the
Chapter 21 Applying Application Layer Protocol Inspection Managing MGCP Inspection Example 21-5 Enabling and Configuring Enhanced HTTP Inspection The following example shows how to use access lists to identify HTTP traffic, define an HTTP map, define a policy, and apply the policy to the outside interface: hostname(config)# class-map http_port hostname(config-cmap)# match port tcp eq 80 hostname(config-cmap)# exit hostname(config)# http-map inbound_http hostname(config-http-map)# content-length min 100 m
Chapter 21 Applying Application Layer Protocol Inspection Managing MGCP Inspection • Configuring and Enabling MGCP Inspection, page 21-36 • Configuring MGCP Timeout Values, page 21-38 • Verifying and Monitoring MGCP Inspection, page 21-39 MGCP Inspection Overview MGCP is a master/slave protocol used to control media gateways from external call control elements called media gateway controllers or call agents.
Chapter 21 Applying Application Layer Protocol Inspection Managing MGCP Inspection MGCP endpoints are physical or virtual sources and destinations for data. Media gateways contain endpoints on which the call agent can create, modify and delete connections to establish and control media sessions with other multimedia endpoints. Also, the call agent can instruct the endpoints to detect certain events and generate signals. The endpoints automatically communicate changes in service state to the call agent.
Chapter 21 Applying Application Layer Protocol Inspection Managing MGCP Inspection Configuring and Enabling MGCP Inspection Use the mgcp-map command to identify a specific map for defining the parameters for MGCP inspection. When you enter this command, the system enters a configuration mode that lets you enter the different commands used for defining the specific map. After defining the MGCP map, you enter the inspect mgcp command to enable the map.
Chapter 21 Applying Application Layer Protocol Inspection Managing MGCP Inspection Step 5 Configure the gateways, as in the following example: hostname(config-mgcp-map)# gateway 10.10.10.115 101 hostname(config-mgcp-map)# gateway 10.10.10.116 102 hostname(config-mgcp-map)# gateway 10.10.10.
Chapter 21 Applying Application Layer Protocol Inspection Managing MGCP Inspection The following command applies the inbound_policy to the all the security appliance interfaces: hostname(config)# service-policy inbound_policy global Example 21-6 shows how to identify MGCP traffic, define a MGCP map, define a policy, and apply the policy to the outside interface. This creates a class map to match MGCP traffic on the default ports (2427 and 2727).
Chapter 21 Applying Application Layer Protocol Inspection Managing RTSP Inspection Verifying and Monitoring MGCP Inspection The show mgcp commands command lists the number of MGCP commands in the command queue. The show mgcp sessions command lists the number of existing MGCP sessions. The detail option includes additional information about each command (or session) in the output.
Chapter 21 Applying Application Layer Protocol Inspection Managing RTSP Inspection RTSP Inspection Overview To enable RTSP application inspection or to change the ports to which the security appliance listens, enter the inspect rtsp command in policy map class configuration mode, which is accessible by entering the class command within policy map configuration mode. To remove the configuration, enter the no form of the command. This command is disabled by default.
Chapter 21 Applying Application Layer Protocol Inspection Managing RTSP Inspection Restrictions and Limitations The following restrictions apply to the inspect rtsp command. The security appliance does not support multicast RTSP or RTSP messages over UDP. • PAT is not supported with the inspect rtsp command. • The security appliance does not have the ability to recognize HTTP cloaking where RTSP messages are hidden in the HTTP messages.
Chapter 21 Applying Application Layer Protocol Inspection Managing RTSP Inspection The CLI enters the policy map configuration mode and the prompt changes accordingly, as follows: hostname(config-pmap)# Step 5 Specify the traffic class defined in Step 2 to be included in the policy map by entering the following command: hostname(config-pmap)# class class_map_name For example, the following command assigns the rtsp_port traffic class to the current policy map.
Chapter 21 Applying Application Layer Protocol Inspection Managing SIP Inspection hostname(config-pmap-c)# inspect rtsp 8554 hostname(config-pmap-c)# exit hostname(config)# service-policy inbound_policy interface outside To enable RTSP inspection for all interfaces, enter the global parameter in place of interface outside. Managing SIP Inspection This section describes how to enable SIP application inspection and change the default port configuration.
Chapter 21 Applying Application Layer Protocol Inspection Managing SIP Inspection MESSAGE/INFO requests can come in at any time after registration/subscription. For example, two users can be online at any time, but not chat for hours. Therefore, the SIP inspection engine opens pinholes that time out according to the configured SIP timeout value. This value must be configured at least five minutes longer than the subscription duration.
Chapter 21 Applying Application Layer Protocol Inspection Managing SIP Inspection When you enter the class-map command, the CLI enters the class map configuration mode, and the prompt changes, as in the following example: hostname(config-cmap)# Step 2 In the class map configuration mode, define the match command, as in the following example: hostname(config-cmap)# match port tcp eq 5060 hostname(config-cmap)# exit hostname(config)# To assign a range of continuous ports, enter the range keyword, as in t
Chapter 21 Applying Application Layer Protocol Inspection Managing SIP Inspection For example, the following command applies the inbound_policy to the outside interface: hostname(config)# service-policy inbound_policy interface outside The following command applies the inbound_policy to the all the security appliance interfaces: hostname(config)# service-policy inbound_policy global You enable the SIP inspection engine as shown in Example 21-8, which creates a class map to match SIP traffic on the defa
Chapter 21 Applying Application Layer Protocol Inspection Managing Skinny (SCCP) Inspection The following is sample output from the show sip command: hostname# show sip Total: 2 call-id c3943000-960ca-2e43-228f@10.130.56.44 state Call init, idle 0:00:01 call-id c3943000-860ca-7e1f-11f7@10.130.56.45 state Active, idle 0:00:06 This sample shows two active SIP sessions on the security appliance (as shown in the Total field). Each call-id represents a call.
Chapter 21 Applying Application Layer Protocol Inspection Managing Skinny (SCCP) Inspection Supporting Cisco IP Phones In topologies where Cisco CallManager is located on the higher security interface with respect to the Cisco IP Phones, if NAT is required for the Cisco CallManager IP address, the mapping must be static as a Cisco IP Phone requires the Cisco CallManager IP address to be specified explicitly in its configuration.
Chapter 21 Applying Application Layer Protocol Inspection Managing Skinny (SCCP) Inspection hostname(config)# To assign a range of continuous ports, enter the range keyword, as in the following example: hostname(config-cmap)# match port tcp range 2000-2010 To assign more than one non-contiguous port for SCCP inspection, enter the access-list command and define an access control entry to match each port. Then enter the match command to associate the access lists with the SCCP traffic class.
Chapter 21 Applying Application Layer Protocol Inspection Managing SMTP and Extended SMTP Inspection You enable the SCCP inspection engine as shown in Example 21-9, which creates a class map to match SCCP traffic on the default port (2000). The service policy is then applied to the outside interface.
Chapter 21 Applying Application Layer Protocol Inspection Managing SMTP and Extended SMTP Inspection SMTP and Extended SMTP Inspection Overview ESMTP application inspection provides improved protection against SMTP-based attacks by restricting the types of SMTP commands that can pass through the security appliance and by adding monitoring capabilities. ESMTP is an enhancement to the SMTP protocol and is similar is most respects to SMTP.
Chapter 21 Applying Application Layer Protocol Inspection Managing SMTP and Extended SMTP Inspection • For unknown commands, the security appliance changes all the characters in the packet to X. In this case, the server generates an error code to the client. Because of the change in the packed, the TCP checksum has to be recalculated or adjusted. • TCP stream editing. • Command pipelining.
Chapter 21 Applying Application Layer Protocol Inspection Managing SNMP Inspection The CLI enters the policy map class configuration mode and the prompt changes accordingly, as follows: hostname(config-pmap-c)# Step 5 (Optional) To change the default port used by the security appliance for receiving SMTP traffic, enter the following command: hostname(config-pmap-c)# inspect esmtp Step 6 Return to policy map configuration mode by entering the following command: hostname(config-pmap-c)# exit hostname(co
Chapter 21 Applying Application Layer Protocol Inspection Managing SNMP Inspection SNMP Inspection Overview Use the inspect snmp command to enable SNMP inspection, using the settings configured with an SNMP map, which you create by entering the snmp-map command. Enter the deny version command in SNMP map configuration mode to restrict SNMP traffic to a specific version of SNMP. Earlier versions of SNMP are less secure so denying SNMP Version 1 traffic may be required by your security policy.
Chapter 21 Applying Application Layer Protocol Inspection Managing SNMP Inspection Step 5 Define the configuration of the SNMP map by entering the following command: hostname(config-snmp-map)# deny version version Replace version with one or more SNMP versions that you want to restrict, for example: hostname(config-inbound_ftp)# deny version 1 Step 6 Name the policy map by entering the following command: hostname(config)# policy-map policy_map_name Replace policy_map_name with the name of the policy
Chapter 21 Applying Application Layer Protocol Inspection Managing SNMP Inspection The following command applies the inbound_policy to the all the security appliance interfaces: hostname(config)# service-policy inbound_policy global The following example identifies SNMP traffic, defines an SNMP map, defines a policy, enables SNMP inspection, and applies the policy to the outside interface: Example 21-11 Configuring SNMP Application Inspection hostname(config)# access-list snmp_acl permit tcp any any eq
C H A P T E R 22 Configuring ARP Inspection and Bridging Parameters Transparent Firewall Mode Only This chapter describes how to enable ARP inspection and how to customize bridging operations for the security appliance. In multiple context mode, the commands in this chapter can be entered in a security context, but not the system.
Chapter 22 Configuring ARP Inspection and Bridging Parameters Configuring ARP Inspection ARP inspection prevents malicious users from impersonating other hosts or routers (known as ARP spoofing). ARP spoofing can enable a “man-in-the-middle” attack. For example, a host sends an ARP request to the gateway router; the gateway router responds with the gateway router MAC address. The attacker, however, sends another ARP response to the host with the attacker MAC address instead of the router MAC address.
Chapter 22 Configuring ARP Inspection and Bridging Parameters Customizing the MAC Address Table Customizing the MAC Address Table This section describes the MAC address table, and includes the following topics: • MAC Address Table Overview, page 22-3 • Adding a Static MAC Address, page 22-3 • Setting the MAC Address Timeout, page 22-3 • Disabling MAC Address Learning, page 22-4 • Viewing the MAC Address Table, page 22-4 MAC Address Table Overview The security appliance learns and builds a MAC ad
Chapter 22 Configuring ARP Inspection and Bridging Parameters Customizing the MAC Address Table Disabling MAC Address Learning By default, each interface automatically learns the MAC addresses of entering traffic, and the security appliance adds corresponding entries to the MAC address table. You can disable MAC address learning if desired, however, unless you statically add MAC addresses to the table, no traffic can pass through the security appliance.
P A R T 3 Configuring VPN
C H A P T E R 23 Configuring IPSec and ISAKMP This chapter describes how to configure the IPSec and ISAKMP standards to build virtual private networks.
Chapter 23 Configuring IPSec and ISAKMP IPSec Overview IPSec Overview IPSec provides the most complete architecture for VPN tunnels, and it is perceived as the most secure protocol. IPSec provides authentication and encryption services to prevent unauthorized viewing or modification of data within your network or as it travels over an unprotected network, such as the public Internet.
Chapter 23 Configuring IPSec and ISAKMP Configuring ISAKMP ISAKMP Overview IKE, also called ISAKMP, is the negotiation protocol that lets two hosts agree on how to build an IPSec security association. Each ISAKMP negotiation is divided into two sections, Phase 1 and Phase 2. Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data.
Chapter 23 Configuring IPSec and ISAKMP Configuring ISAKMP Table 23-1 ISAKMP Policy Keywords for CLI Commands (continued) Command Keyword Meaning Description isakmp policy group 1 Group 1 (768-bit) Specifies the Diffie-Hellman group identifier, which the two IPSec peers use to derive a shared secret without transmitting it to each other. The default, Group 2 (1024-bit Diffie-Hellman) requires less CPU time to execute but is less secure than Group 5 or 7.
Chapter 23 Configuring IPSec and ISAKMP Configuring ISAKMP To enable and configure ISAKMP, complete the following steps, using the examples as a guide: Note Step 1 If you do not specify a value for a given policy parameter, the default value applies. Specify the encryption algorithm. The default is Triple DES. This example sets encryption to DES.
Chapter 23 Configuring IPSec and ISAKMP Configuring ISAKMP Disabling ISAKMP in Aggressive Mode Phase 1 ISAKMP negotiations can use either main mode or aggressive mode. Both provide the same services, but aggressive mode requires only two exchanges between the peers, rather than three. Aggressive mode is faster, but does not provide identity protection for the communicating parties.
Chapter 23 Configuring IPSec and ISAKMP Configuring ISAKMP Enabling IPSec over NAT-T NAT-T lets IPSec peers establish a connection through a NAT device. It does this by encapsulating IPSec traffic in UDP datagrams, using port 4500, thereby providing NAT devices with port information. NAT-T auto-detects any NAT devices, and only encapsulates IPSec traffic when necessary. This feature is disabled by default.
Chapter 23 Configuring IPSec and ISAKMP Configuring ISAKMP IPSec over TCP works with remote access clients. You enable it globally, and it works on all ISAKMP enabled interfaces. It is a client to security appliance feature only. It does not work for LAN-to-LAN connections. • The security appliance can simultaneously support standard IPSec, IPSec over TCP, NAT-Traversal, and IPSec over UDP, depending on the client with which it is exchanging data.
Chapter 23 Configuring IPSec and ISAKMP Configuring Certificate Group Matching The security appliance can notify qualified peers (in LAN-to-LAN configurations), VPN clients and VPN 3002 hardware clients of sessions that are about to be disconnected. The peer or client receiving the alert decodes the reason and displays it in the event log or in a pop-up panel. This feature is disabled by default. Qualified clients and peers include the following: • security appliances with Alerts enabled.
Chapter 23 Configuring IPSec and ISAKMP Configuring Certificate Group Matching policy Specifies the policy for deriving the tunnel group name from the certificate. Policy can be one of the following: ike-id—Indicates that if a tunnel-group is not determined based on a rule lookup or taken from the ou, then the certificate-based ISAKMP sessions are mapped to a tunnel group based on the content of the phase1 ISAKMP ID.
Chapter 23 Configuring IPSec and ISAKMP Configuring IPSec Using the Tunnel-group-map default-group Command This command specifies a default tunnel group to use when the name cannot be derived by other configured methods. The syntax is tunnel-group-map [rule-index] default-group tunnel-group-name where the rule-index is the priority for the rule, and tunnel-group name must be for a tunnel group that already exists.
Chapter 23 Configuring IPSec and ISAKMP Configuring IPSec Understanding Transform Sets A transform set is a combination of security protocols and algorithms that define how the security appliance protects data. You create multiple transform sets, and then specify one or more of them in a crypto map entry. During IPSec SA negotiations, the peers must identify a transform set that is the same at both peers.
Chapter 23 Configuring IPSec and ISAKMP Configuring IPSec Create multiple crypto map entries for a given security appliance interface, if any of the following conditions exist: • If different data flows are to be handled by separate peers.
Chapter 23 Configuring IPSec and ISAKMP Configuring IPSec • Determine whether or not to accept requests for IPSec security associations on behalf of the requested data flows when processing IKE negotiation from the peer. (Negotiation is done only for ipsec-isakmp crypto map entries.) For the peer’s request to be accepted during negotiation, the peer should specify a data flow that is “permitted” by a crypto access list associated with an ipsec-isakmp crypto map command entry.
Chapter 23 Configuring IPSec and ISAKMP Configuring IPSec If you configure multiple statements for a given crypto access list that is used for IPSec, in general the first permit statement that matches is the statement that determines the scope of the IPSec security association. That is, the IPSec security association is set up to protect traffic that meets the criteria of the matched statement only.
Chapter 23 Configuring IPSec and ISAKMP Configuring IPSec Assuming that the particular crypto map entry does not have lifetime values configured, when the security appliance requests new security associations it specifies its global lifetime values in the request to the peer; it uses this value as the lifetime of the new security associations.
Chapter 23 Configuring IPSec and ISAKMP Configuring IPSec For example: crypto map mymap 10 set peer 192.168.1.100 The security association is set up with the peer having an IP address of 192.168.1.100. Specify multiple peers by repeating this command. c. Specify which transform sets are allowed for this crypto map entry. List multiple transform sets in order of priority (highest priority first). You can specify up to six transform sets.
Chapter 23 Configuring IPSec and ISAKMP Configuring IPSec Using Dynamic Crypto Maps Dynamic crypto maps can ease IPSec configuration and we recommend them for use in networks where the peers are not always predetermined. You use dynamic crypto maps for VPN clients (such as mobile users) and routers that obtain dynamically assigned IP addresses. Note Use care when using the any keyword in permit command entries in dynamic crypto maps.
Chapter 23 Configuring IPSec and ISAKMP Configuring IPSec Create a crypto dynamic map entry by performing the following steps: Step 1 (Optional) Assign an access list to a dynamic crypto map entry: crypto dynamic-map dynamic-map-name dynamic-seq-num match address access-list-name This determines which traffic should be protected and not protected. For example: crypto dynamic-map dyn1 10 match address 101 In this example, access list 101 is assigned to dynamic crypto map “dyn1.
Chapter 23 Configuring IPSec and ISAKMP Clearing Security Associations Providing Site-to-Site Redundancy You can define multiple peers by using crypto maps to provide redundancy. This configuration is useful for site-to-site VPNs. If one peer fails, the security appliance establishes a tunnel to the next peer associated with the crypto map. It sends data to the peer that it has successfully negotiated with, and that peer becomes the "active" peer.
Chapter 23 Configuring IPSec and ISAKMP Clearing Crypto Map Configurations Table 23-3 lists commands you can enter to clear and reinitialize IPSec security associations. Table 23-3 Commands to Clear and Reinitialize IPSec SAs Command Purpose clear configure crypto Removes an entire crypto configuration, including IPSec, crypto maps, dynamic crypto maps, and ISAKMP. clear configure crypto ca trustpoint Removes all trustpoints. clear configure crypto dynamic-map Removes all dynamic crypto maps.
Chapter 23 Configuring IPSec and ISAKMP Clearing Crypto Map Configurations Cisco Security Appliance Command Line Configuration Guide 23-22 OL-6721-01
C H A P T E R 24 Setting General VPN Parameters The security appliance implementation of virtual private networking includes useful features that do not fit neatly into categories. This chapter describes some of these features.
Chapter 24 Setting General VPN Parameters Permitting Intra-Interface Traffic Permitting Intra-Interface Traffic The security appliance includes a feature that lets users on the same subnet send IPSec-protected traffic to each other. It does so by allowing such traffic in and out of the same interface. This is called hairpinning. To configure this feature, use the same-security-traffic command in global configuration mode with its intra-interface argument.
Chapter 24 Setting General VPN Parameters Configuring Client Update The command syntax follows: client-update type type {url url-string} {rev-nums rev-nums} no client-update [type] Syntax Description rev-nums rev-nums Specifies the software or firmware images for this client. Enter up to 4, separated by commas. type Specifies the operating systems to notify of a client update.
Chapter 24 Setting General VPN Parameters Configuring Client Update Cisco Security Appliance Command Line Configuration Guide 24-4 OL-6721-01
C H A P T E R 25 Configuring Tunnel Groups, Group Policies, and Users This chapter describes how to configure VPN tunnel groups, group policies, and users. This chapter includes the following sections. • Overview of Tunnel Groups, Group Policies, and Users, page 25-1 • Configuring Tunnel Groups, page 25-4 • Group Policies, page 25-10 • Configuring Users, page 25-26 In summary, you first configure tunnel groups to set the values for the connection. Then you configure group policies.
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Overview of Tunnel Groups, Group Policies, and Users Note The security appliance also includes the concept of object groups, which are a superset of network lists. Object groups let you define VPN access to ports as well as networks. Object groups relate to ACLs rather than to group policies and tunnel groups. For more information about using object groups, see Chapter 13, “Identifying Traffic with Access Lists.
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Overview of Tunnel Groups, Group Policies, and Users • Default group policy for the connection—A group policy is a set of user-oriented attributes. The default group policy is the group policy whose attributes the security appliance uses as defaults when authenticating or authorizing a tunnel user.
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Configuring Tunnel Groups Configuring Tunnel Groups The security appliance provides two default tunnel groups, one for remote access (DefaultRAGroup) and one for LAN-to-LAN (DefaultL2LGroup). You can modify these groups, but you cannot delete them. To see the current configured and default configuration of all your tunnel groups, including the default tunnel group, enter the show running-config all tunnel-group command.
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Configuring Tunnel Groups Configure Remote-Access Tunnel Group General Attributes To configure the tunnel group general attributes, specify the parameters in the following steps.
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Configuring Tunnel Groups Step 8 Whether users must exist in the authorization database to connect.
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Configuring Tunnel Groups Step 5 Specify the preshared key to support IKE connections based on preshared keys.
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Configuring Tunnel Groups Default LAN-to-LAN Tunnel Group Configuration The contents of the default LAN-to-LAN tunnel group are as follows: tunnel-group DefaultL2LGroup type ipsec-l2l tunnel-group DefaultL2LGroup general-attributes no accounting-server-group default-group-policy DfltGrpPolicy tunnel-group DefaultL2LGroup ipsec-attributes no pre-shared-key peer-id-validate req no chain no trust-point isakmp keepalive threshold 10 retry 2 LAN
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Configuring Tunnel Groups Step 3 Specify the name of the default group policy: hostname(config-general)# default-group-policy policyname For example, the following command specifies that the name of the default group policy is “MyPolicy”: hostname(config-general)# default-group-policy MyPolicy Configure LAN-to-LAN IPSec Attributes To configure the IPSec attributes, do the following steps: Step 1 To enter config-ipsec mode, in which you co
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Group Policies Step 6 Specify the ISAKMP keepalive threshold and the number of retries allowed. The threshold parameter specifies the number of seconds (10 through 3600) that the peer is allowed to idle before beginning keepalive monitoring. The retry parameter is the interval (2 through 10 seconds) between retries after a keepalive response has not been received. IKE keepalives are enabled by default.
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Group Policies Default Group Policy The security appliance supplies a default group policy. You can modify this default group policy, but you cannot delete it. A default group policy, named “DfltGrpPolicy”, always exists on the security appliance, but this default group policy does not take effect unless you configure the security appliance to use it.
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Group Policies You can modify the default group policy, and you can also create one or more group policies specific to your environment. Configuring Group Policies A group policy can apply to either remote-access or LAN-to-LAN IPSec tunnels. In each case, if you do not explicitly define a parameter, the group takes the value from the default group policy.
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Group Policies Every time that you enter the wins-server command, you overwrite the existing setting. For example, if you configure WINS server x.x.x.x and then configure WINS server y.y.y.y, the second command overwrites the first, and y.y.y.y becomes the sole WINS server. The same is true for multiple servers.
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Group Policies Note Step 7 While there is no maximum limit to the number of simultaneous logins, allowing several could compromise security and affect performance.
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Group Policies The following example shows how to set a filter that invokes an access list named “acl_vpn” for the group policy named “FirstGroup”: hostname(config)# group-policy FirstGroup attributes hostname(config-group-policy)# vpn-filter acl_vpn Step 10 Specify the VPN tunnel type (IPSec) for this group policy. hostname(config-group-policy)# vpn-tunnel-protocol IPSec The default is IPSec.
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Group Policies Enabling data compression might speed up data transmission rates for remote dial-in users connecting with modems. Caution Step 13 Data compression increases the memory requirement and CPU usage for each user session and consequently decreases the overall throughput of the security appliance. For this reason, we recommend that you enable data compression only for remote users connecting with a modem.
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Group Policies To disable PFS, enter the disable keyword. To remove the PFS attribute from the running configuration, enter the no form of this command. A group policy can inherit a value for PFS from another group policy. To prevent inheriting a value, enter the no form of this command. hostname(config-group-policy)# no pfs Step 16 Specify the banner, or welcome message, if any, that you want to display. The default is no banner.
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Group Policies To disable the UDP port, enter the no form of this command. This enables inheritance of a value for the IPSec over UDP port from another group policy.
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Group Policies The value access-list name parameter identifies an access list that enumerates the networks to tunnel or not tunnel. The none keyword indicates that there is no network list for split tunneling; the security appliance tunnels all traffic. Specifying the none keyword sets a split tunneling network list with a null value, thereby disallowing split tunneling.
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Group Policies The parameter value domain-name provides a domain name that the security appliance resolves through the split tunnel. The none keyword indicates that there is no split DNS list. It also sets a split DNS list with a null value, thereby disallowing a split DNS list, and prevents inheriting a split DNS list from a default or specified group policy. hostname(config-group-policy)# split-dns {value domain-name1 [domain-name2...
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Group Policies User authentication is disabled by default. When enabled, user authentication requires that individual users behind a hardware client authenticate to gain access to the network across the tunnel. Individual users authenticate according to the order of authentication servers that you configure. If you require user authentication on the primary security appliance, be sure to configure it on any backup servers as well.
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Group Policies When LEAP Bypass is enabled, LEAP packets from wireless devices behind a VPN hardware client travel across a VPN tunnel prior to user authentication. This action lets workstations using Cisco wireless access point devices establish LEAP authentication and then authenticate again per user authentication. LEAP Bypass is disabled by default. Note IEEE 802.1X is a standard for authentication on wired and wireless networks.
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Group Policies Step 28 Configure backup servers if you plan on using them. IPSec backup servers let a VPN client connect to the central site when the primary security appliance is unavailable. To configure backup servers, enter the backup-servers command in group-policy configuration mode. hostname(config-group-policy)# backup-servers {server1 server2...
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Group Policies Enter the following commands to set the appropriate client firewall parameters.
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Group Policies Table 25-1 client-firewall Command Parameters (continued) sygate-security-agent Specifies Sygate Security Agent firewall type. vendor-id Identifies the firewall vendor. zonelabs-zonealarm Specifies Zone Labs Zone Alarm firewall type. zonelabs-zonealarmorpro policy Specifies Zone Labs Zone Alarm or Pro firewall type. zonelabs-zonealarmpro policy Specifies Zone Labs Zone Alarm Pro firewall type.
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Configuring Users Table 25-2 client-access rule Command Parameters (continued) type type Identifies device types via free-form strings, for example VPN 3002. A string must match exactly its appearance in the show vpn-sessiondb remote display, except that you can enter the * character as a wildcard. version version Identifies the device version via free-form strings, for example 7.0.
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Configuring Users Viewing the Username Configuration To display the configuration for all usernames, including default values inherited from the group policy, enter the all keyword with the show running-config username command, as follows: hostname# show running-config all username If you omit the all keyword, only explicitly configured values appear in this list. In this example, the usernames are “testuser” and “oliverw”.
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Configuring Users The following table describes the meaning of the keywords and variables used in this command. encrypted Indicates that the password is encrypted. name Provides the name of the user. nopassword Indicates that this user needs no password. password password Indicates that this user has a password, and provides the password. privilege priv_level Sets a privilege level for this user.
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Configuring Users The following example shows how to associate the user named “anyuser” with a time-range policy called 824: hostname(config)# username anyuser attributes hostname(config-username)# vpn-access-hours 824 Step 4 Specify the maximum number of simultaneous logins allowed for this user. The range is 0 through 2147483647. The default is 3 simultaneous logins.
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Configuring Users You configure ACLs to permit or deny various types of traffic for this user. You then use the vpn-filter command to apply those ACLs.
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Configuring Users Group-lock restricts users by checking whether the group configured in the VPN client is the same as the tunnel group to which the user is assigned. If it is not, the security appliance prevents the user from connecting. If you do not configure group-lock, the security appliance authenticates users without regard to the assigned group.
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users Configuring Users Cisco Security Appliance Command Line Configuration Guide 25-32 OL-6721-01
C H A P T E R 26 Configuring IP Addresses for VPNs This chapter describes IP address assignment methods. IP addresses make internetwork connections possible. They are like telephone numbers: both the sender and receiver must have an assigned number to connect. But with VPNs, there are actually two sets of addresses: the first set connects client and server on the public network. Once that connection is made, the second set connects client and server through the VPN tunnel.
Chapter 26 Configuring IP Addresses for VPNs Configuring an IP Address Assignment Method Configuring Local IP Address Pools To configure IP address pools to use for VPN remote access tunnels, enter the ip local pool command in global configuration mode. To delete address pools, enter the no form of this command. The security appliance uses address pools based on the tunnel group for the connection.
Chapter 26 Configuring IP Addresses for VPNs Configuring an IP Address Assignment Method To configure AAA for IP addressing, perform the following steps: Step 1 To configure AAA as the address assignment method, enter the vpn-addr-assign command with the aaa argument: hostname(config)# vpn-addr-assign aaa hostname(config)# Step 2 To establish the tunnel group called firstgroup as a remote access or LAN-to-LAN tunnel group, enter the tunnel-group command with the type keyword.
Chapter 26 Configuring IP Addresses for VPNs Configuring an IP Address Assignment Method hostname(config)# group-policy remotegroup attributes hostname(config-group-policy)# dhcp-network-scope 192.86.0.0 To define a DHCP server for IP addressing, perform the following steps.
C H A P T E R 27 Configuring Remote Access VPNs Remote access VPNs let single users connect to a central site through a secure connection over a TCP/IP network such as the Internet. This chapter describes how to build a remote access VPN connection.
Chapter 27 Configuring Remote Access VPNs Configuring Interfaces hostname(config)# hostname(config)# hostname(config)# hostname(config)# crypto dynamic-map dyn1 1 set reverse-route crypto map mymap 1 ipsec-isakmp dynamic dyn1 crypto map mymap interface outside write memory Configuring Interfaces A security appliance has at least two interfaces, referred to here as outside and inside.
Chapter 27 Configuring Remote Access VPNs Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface The Internet Security Association and Key Management Protocol, also called IKE, is the negotiation protocol that lets two hosts agree on how to build an IPSec Security Association. Each ISAKMP negotiation is divided into two sections called Phase1 and Phase2.
Chapter 27 Configuring Remote Access VPNs Configuring an Address Pool Step 7 To save your changes, enter the write memory command. hostname(config)# write memory hostname(config)# Configuring an Address Pool The security appliance requires a method for assigning IP addresses to users. A common method is using address pools. The alternatives are having a DHCP server assign address or having an AAA server assign them. The following example uses an address pool.
Chapter 27 Configuring Remote Access VPNs Defining a Tunnel Group Step 1 To configure a transform set, in global configuration mode enter the crypto ipsec transform-set command.
Chapter 27 Configuring Remote Access VPNs Creating a Dynamic Crypto Map Step 3 To configure the authentication method, enter the ipsec-attributes mode and then enter the pre-shared-key command to create the preshared key. You need to use the same preshared key on both the security appliance and the client. The key is an alphanumeric string of 1-128 characters. In the following example the preshared key is 44kkaol59636jnfx.
Chapter 27 Configuring Remote Access VPNs Creating a Crypto Map Entry to Use the Dynamic Crypto Map Creating a Crypto Map Entry to Use the Dynamic Crypto Map Next create a crypto map entry that lets the security appliance use the dynamic crypto map to set the parameters of IPSec security associations.
Chapter 27 Configuring Remote Access VPNs Cisco Security Appliance Command Line Configuration Guide 27-8 OL-6721-01
C H A P T E R 28 Configuring LAN-to-LAN VPNs LAN-to-LAN VPN configurations are between two IPSec security gateways, such as security appliances or other protocol-compliant VPN devices. A LAN-to-LAN VPN connects networks in different geographic locations. This chapter describes how to build a LAN-to-LAN VPN connection.
Chapter 28 Configuring LAN-to-LAN VPNs Configuring Interfaces Configuring Interfaces A security appliance has at least two interfaces, referred to here as outside and inside. Typically, the outside interface is connected to the public Internet, while the inside interface is connected to a private network and is protected from public access. To begin, configure and enable two interfaces on the security appliance. Then, assign a name, IP address and subnet mask.
Chapter 28 Configuring LAN-to-LAN VPNs Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface To set the terms of the ISAKMP negotiations, you create an ISAKMP policy, which includes the following: • An authentication method, to ensure the identity of the peers. • An encryption method, to protect the data and ensure privacy. • A Hashed Message Authentication Codes method to ensure the identity of the sender and to ensure that the message has not been modified in transit.
Chapter 28 Configuring LAN-to-LAN VPNs Creating a Transform Set Creating a Transform Set A transform set combines an encryption method and an authentication method. During the IPSec security association negotiation with ISAKMP, the peers agree to use a particular transform set to protect a particular data flow. The transform set must be the same for both peers. You can create multiple transform sets, and then specify one or more of these transform sets in a crypto map entry.
Chapter 28 Configuring LAN-to-LAN VPNs Defining a Tunnel Group To configure an ACL, perform the following steps: Step 1 Enter the access-list extended command. The following example configures an ACL named l2l_list that lets traffic from IP addresses in the 192.168.0.0 network travel to the 150.150.0.0 network. The syntax is access-list listname extended permit ip source-ipaddress source-netmask destination-ipaddress destination-netmask. hostname(config)# access-list l2l_list extended permit ip 192.168.
Chapter 28 Configuring LAN-to-LAN VPNs Creating a Crypto Map and Applying It To an Interface Step 2 To set the authentication method to preshared key, enter the ipsec-attributes mode and then enter the pre-shared-key command to create the preshared key. You need to use the same preshared key on both security appliances for this LAN-to-LAN connection. The key is an alphanumeric string of 1-128 characters. In the following example the preshared key is 44kkaol59636jnfx. hostname(config)# tunnel-group 10.
Chapter 28 Configuring LAN-to-LAN VPNs Creating a Crypto Map and Applying It To an Interface Enter these commands in global configuration mode: Step 1 To assign an access list to a crypto map entry, enter the crypto map match address command. The syntax is crypto map map-name seq-num match address aclname. In the following example the map name is abcmap, the sequence number is 1, and the access list name is xyz.
Chapter 28 Configuring LAN-to-LAN VPNs Creating a Crypto Map and Applying It To an Interface Cisco Security Appliance Command Line Configuration Guide 28-8 OL-6721-01
C H A P T E R 29 Configuring Certificates This chapter describes how to configure certificates. CAs are responsible for managing certificate requests and issuing digital certificates. A digital certificate contains information that identifies a user or device. Some of this information can include a name, serial number, company, department, or IP address. A digital certificate also contains a copy of the public key for the user or device.
Chapter 29 Configuring Certificates Public Key Cryptography Obtaining the public key of a sender is normally handled out-of-band or through an operation done at installation. For instance, most web browsers are configured with the root certificates of several CAs by default. For VPN, the IKE protocol, a component of IPSec, can use digital signatures to authenticate peer devices before setting up security associations.
Chapter 29 Configuring Certificates Public Key Cryptography Separate signing and encryption keys helps reduce exposure of the keys. This is because SSL uses a key for encryption but not signing but IKE uses a key for signing but not encryption. By using separate keys for each, exposure of the keys is minimized. About Trustpoints Trustpoints let you manage and track CAs and certificates. A trustpoint is a representation of a CA or identity pair.
Chapter 29 Configuring Certificates Certificate Configuration The security appliance uses these two factors as follows: • If the NextUpdate field is not required, the security appliance marks CRLs as stale after the length of time defined by the cache-time command. • If the NextUpdate field is required, the security appliance marks CRLs as stale at the sooner of the two times specified by the cache-time command and the NextUpdate field.
Chapter 29 Configuring Certificates Certificate Configuration To prepare a security appliance for certificates, perform the following steps: Step 1 Ensure that the hostname and domain name of the security appliance are configured correctly. You can use the show running-config command to view the hostname and domain name as currently configured. For information about configuring the hostname, see the “Setting the Hostname” section on page 7-2.
Chapter 29 Configuring Certificates Certificate Configuration Note Step 2 When generating DSA keys, you may encounter a delay. On a Cisco PIX 515E Firewall, this delay may extend up to few minutes. (Optional) Use the show crypto key mypubkey command to view key pair(s). Use the rsa and dsa keywords to specify which type of keys you want to view.
Chapter 29 Configuring Certificates Certificate Configuration Step 2 Specify the enrollment method to be used with this trustpoint. Note If the trustpoint uses DSA keys, enrollment must be manual. The security appliance does not support automatic enrollment for certification with DSA keys. To specify the enrollment method, do one of the following items: • To specify SCEP enrollment, use the enrollment url command to configure the URL to be used for SCEP enrollment with the trustpoint you declared.
Chapter 29 Configuring Certificates Certificate Configuration Step 4 • serial-number—During enrollment, asks the CA to include the security appliance serial number in the certificate. • ip-address ip-address—During enrollment, asks the CA to include the IP address of the security appliance in the certificate. • password string—Specifies a challenge phrase that is registered with the CA during enrollment. The CA typically uses this phrase to authenticate a subsequent revocation request.
Chapter 29 Configuring Certificates Certificate Configuration Note Whether a trustpoint uses SCEP for obtaining certificates is determined by the use of the enrollment url command when you configure the trustpoint (see the “Configuring Trustpoints” section on page 29-6). To obtain certificates with SCEP, perform the following steps: Step 1 Obtain the CA certificate for the trustpoint you configured.
Chapter 29 Configuring Certificates Certificate Configuration Note The password is required if the certificate for the security appliance needs to be revoked, so it is crucial that you remember this password. Note it and store it in a safe place. You must enter the crypto ca enroll command for each trustpoint with which the security appliance needs to enroll.
Chapter 29 Configuring Certificates Certificate Configuration INFO: Certificate has the following attributes: Fingerprint: 24b81433 409b3fd5 e5431699 8d490d34 Do you accept this certificate? [yes/no]: y Trustpoint CA certificate accepted. % Certificate successfully imported hostname (config)# Step 3 Generate a certificate request. To do so, use the crypto ca enroll command.
Chapter 29 Configuring Certificates Certificate Configuration The following example manually imports a certificate for the trustpoint Main: hostname (config)# crypto ca import Main certificate % The fully-qualified domain name in the certificate will be: securityappliance.example.com Enter the base 64 encoded certificate.
Chapter 29 Configuring Certificates Certificate Configuration Step 4 Configure the retrieval policy with the policy command. The following keywords for this command determine the policy. • cdp—CRLs are retrieved only from the CRL distribution points specified in authenticated certificates. Note Step 5 SCEP retrieval is not supported by distribution points specified in certificates. • static—CRLs are retrieved only from URLs you configure.
Chapter 29 Configuring Certificates Certificate Configuration Note b. If you use a hostname rather than an IP address to specify the LDAP server, be sure you have configured the security appliance to use DNS. For information about configuring DNS, see the dns commands in the Cisco Security Appliance Command Reference.
Chapter 29 Configuring Certificates Certificate Configuration The key pair imported with the trustpoint is assigned a label matching the name of the trustpoint you create. For example, if an exported trustpoint used an RSA key labeled , creating trustpoint named Main by importing the PKCS12 creates a key pair named Main, not .
Chapter 29 Configuring Certificates Certificate Configuration For more information about the issuer-name and subject-name commands, see the Cisco Security Appliance Command Reference. The following example specifies that any attribute within the Issuer field must contain the string cisco. hostname(config-ca-cert-map)# issuer-name co cisco hostname(config-ca-cert-map)# The following example specifies that within the Subject field an Organizational Unit attribute must exactly match the string Engineering.
P A R T 4 System Administration
C H A P T E R 30 Managing System Access This chapter describes how to access the security appliance for system management through Telnet, SSH, and HTTPS. It also describes how to authenticate and authorize users and how to create login banners.
Chapter 30 Managing System Access Allowing SSH Access Set the timeout from 1 to 1440 minutes. The default is 5 minutes. The default duration is too short in most cases and should be increased until all pre-production testing and troubleshooting has been completed. For example, to let a host on the inside interface with an address of 192.168.1.2 access the security appliance, enter the following command: hostname(config)# telnet 192.168.1.2 255.255.255.
Chapter 30 Managing System Access Allowing SSH Access The security appliance accepts SSH connections from all interfaces, including the one with the lowest security level. Step 4 (Optional) To set the duration for how long an SSH session can be idle before the security appliance disconnects the session, enter the following command: hostname(config)# ssh timeout minutes Set the timeout from 1 to 60 minutes. The default is 5 minutes.
Chapter 30 Managing System Access Allowing HTTPS Access for ASDM The password is saved in the configuration in encrypted form, so you cannot view the original password after you enter it. Use the no password command to restore the password to the default setting. Allowing HTTPS Access for ASDM To use ASDM, you need to enable the HTTPS server, and allow HTTPS connections to the security appliance. All of these tasks are completed if you use the setup command.
Chapter 30 Managing System Access Authenticating and Authorizing System Administrators Configuring Authentication for CLI Access If you enable CLI authentication, the security appliance prompts you for your username and password to log in. After you enter your information, you have access to user EXEC mode. To enter privileged EXEC mode, enter the enable command or the login command (if you are using the local database only).
Chapter 30 Managing System Access Authenticating and Authorizing System Administrators Configuring Authentication for the Enable Command You can configure the security appliance to authenticate users when they enter the enable command. If you do not authenticate the enable command, when you enter enable, the security appliance prompts for the system enable password (set by the enable password command), and you are no longer logged in as a particular user.
Chapter 30 Managing System Access Authenticating and Authorizing System Administrators Configuring Command Authorization By default when you log in, you can access user EXEC mode, which offers only minimal commands. When you enter the enable command (or the login command when you use the local database), you can access privileged EXEC mode and advanced commands, including configuration commands.
Chapter 30 Managing System Access Authenticating and Authorizing System Administrators Local Command Authorization Prerequisites Complete the following tasks as part of your command authorization configuration: • Configure enable authentication. (See the “Configuring Authentication To Access Privileged EXEC Mode” section on page 30-5.) Alternatively, you can use the login command (which is the same as the enable command with authentication), which requires no configuration.
Chapter 30 Managing System Access Authenticating and Authorizing System Administrators See the following information about the options in this command: • show | clear | cmd—These optional keywords let you set the privilege only for the show, clear, or configure form of the command. The configure form of the command is typically the form that causes a configuration change, either as the unmodified command (without the show or clear prefix) or as the no form.
Chapter 30 Managing System Access Authenticating and Authorizing System Administrators This example shows an additional command, the configure command, that uses the mode keyword: hostname(config)# hostname(config)# hostname(config)# hostname(config)# Note privilege privilege privilege privilege show level 5 mode cmd command configure clear level 15 mode cmd command configure cmd level 15 mode cmd command configure cmd level 15 mode enable command configure This last line is for the configure termina
Chapter 30 Managing System Access Authenticating and Authorizing System Administrators Configuring TACACS+ Command Authorization If you enable TACACS+ command authorization, and a user enters a command at the CLI, the security appliance sends the command and username to the TACACS+ server to determine if the command is authorized. When configuring command authorization with a TACACS+ server, do not save your configuration until you are sure it works the way you want.
Chapter 30 Managing System Access Authenticating and Authorizing System Administrators • You can permit all arguments of a command that you do not explicitly deny by selecting the Permit Unmatched Args check box. For example, you can configure just the show command, and then all the show commands are allowed. We recommend using this method so that you do not have to anticipate every variant of a command, including abbreviations and ?, which shows CLI usage (see Figure 30-1).
Chapter 30 Managing System Access Authenticating and Authorizing System Administrators Figure 30-3 • Disallowing Arguments When you abbreviate a command at the command line, the security appliance expands the prefix and main command to the full text, but it sends additional arguments to the TACACS+ server as you enter them. For example, if you enter sh log, then the security appliance sends the entire command to the TACACS+ server, show logging.
Chapter 30 Managing System Access Authenticating and Authorizing System Administrators – show pager – clear pager – quit – show version Enabling TACACS+ Command Authorization Before you enable TACACS+ command authorization, be sure that you are logged into the security appliance as a user that is defined on the TACACS+ server, and that you have the necessary command authorization to continue configuring the security appliance. For example, you should log in as an admin user with all commands authorized.
Chapter 30 Managing System Access Authenticating and Authorizing System Administrators Recovering from a Lockout In some circumstances, when you turn on command authorization or CLI authentication, you can be locked out of the security appliance CLI. You can usually recover access by restarting the security appliance. However, if you already saved your configuration, you might be locked out. Table 30-2 lists the common lockout conditions and how you might recover from them.
Chapter 30 Managing System Access Configuring a Login Banner Configuring a Login Banner You can configure a message to display when a user connects to the security appliance, before a user logs in, or before a user enters privileged EXEC mode.
C H A P T E R 31 Managing Software, Licenses, and Configurations Managing Licenses When you install the software, the existing activation key is extracted from the original image and stored in a file in the security appliance file system. Obtaining an Activation Key To obtain an activation key, you will need a Product Authorization Key, which you can purchase from your Cisco account representative.
Chapter 31 Managing Software, Licenses, and Configurations Installing Application or ASDM Software Entering a New Activation Key To change the activation key on the security appliance and check the activation key running on the security appliance against the activation key that is stored as a hidden file in the Flash partition of the security appliance, use the activation-key command in global configuration mode.
Chapter 31 Managing Software, Licenses, and Configurations Installing Application or ASDM Software To view extended information about specific files listed, enter the following command: hostname# show file information cdisk.bin disk0:/cdisk.bin: type is image (XXX) [] file size is 4976640 bytes version 7.0(1) hostname# The file size listed is for example only.
Chapter 31 Managing Software, Licenses, and Configurations Downloading and Backing Up Configuration Files To copy the application software from an FTP server, enter: hostname# copy ftp://admin:letmein@209.165.200.227/cisco/xxxfile.bin;type=ip flash:/xxxfile.bin To copy to the ASDM from an HTTPS server, enter: hostname# copy http://admin:letmein@209.165.200.228/adsm/asdm.bin flash:/asdm.
Chapter 31 Managing Software, Licenses, and Configurations Downloading and Backing Up Configuration Files To download a text configuration from a server, follow these steps: Step 1 To copy the single mode startup configuration or the multiple mode system startup configuration from the server to flash memory, enter one of the following commands for the appropriate download server: • To copy from a TFTP server, enter the following command: hostname# copy tftp://server[/path]/filename startup-config • To
Chapter 31 Managing Software, Licenses, and Configurations Downloading and Backing Up Configuration Files • To copy from a HTTP or HTTPS server, enter the following command: hostname# copy http[s]://[user[:password]@]server[:port][/path]/filename disk0:[path/]filename Step 3 Copy the new startup configuration to the running configuration using one of these options: • To merge the startup configuration with the current running configuration, enter the following command: hostname(config)# copy startup-
Chapter 31 Managing Software, Licenses, and Configurations Downloading and Backing Up Configuration Files – ip—(Default) Binary passive mode – in—Binary normal mode Use ASCII or binary for configuration files (as in this case), and binary only for image files.
Chapter 31 Managing Software, Licenses, and Configurations Downloading and Backing Up Configuration Files Cisco Security Appliance Command Line Configuration Guide 31-8 OL-6721-01
C H A P T E R 32 Monitoring and Troubleshooting This chapter describes how to monitor and troubleshoot the security appliance, and includes the following sections: • Monitoring the Security Appliance, page 32-1 • Troubleshooting the Security Appliance, page 32-4 Monitoring the Security Appliance This section describes how to monitor the security appliance, and includes the following topics: • Using System Log Messages, page 32-1 • Using SNMP, page 32-1 Using System Log Messages The security applia
Chapter 32 Monitoring and Troubleshooting Monitoring the Security Appliance Table 32-1 lists supported MIBs and traps for the security appliance and, in multiple mode, for each context. You can download Cisco MIBs from the following website. http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml After you download the MIBs, compile them for your NMS.
Chapter 32 Monitoring and Troubleshooting Monitoring the Security Appliance Table 32-1 SNMP MIB and Trap Support (continued) MIB or Trap Support Description Cisco Firewall MIB The security appliance supports browsing of the following groups: • cfwSystem The information is cfwSystem.cfwStatus, which relates to failover status, pertains to the entire device and not just a single context.
Chapter 32 Monitoring and Troubleshooting Troubleshooting the Security Appliance By default, SNMP core traps are enabled (snmp). If you do not enter a trap type in the command, syslog is the default. To enable or disable all traps, enter the all option. For snmp, you can identify each trap type separately. See Table 32-1 on page 32-2 for a list of traps.
Chapter 32 Monitoring and Troubleshooting Troubleshooting the Security Appliance Enabling ICMP Debug Messages and System Messages Debug messages and system messages can help you troubleshoot why your pings are not successful. The security appliance only shows ICMP debug messages for pings to the security appliance interfaces, and not for pings through the security appliance to other hosts.
Chapter 32 Monitoring and Troubleshooting Troubleshooting the Security Appliance Pinging Security Appliance Interfaces To test that the security appliance interfaces are up and running and that the security appliance and connected routers are routing correctly, you can ping the security appliance interfaces.
Chapter 32 Monitoring and Troubleshooting Troubleshooting the Security Appliance Figure 32-2 Ping Failure at Security Appliance Interface Router 126695 Ping Security Appliance If the ping reaches the security appliance, and the security appliance responds, you see debug messages like the following: ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209.165.201.2 ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.
Chapter 32 Monitoring and Troubleshooting Troubleshooting the Security Appliance Step 1 To add an access list allowing ICMP from any source host, enter the following command: hostname(config)# access-list ICMPACL extended permit icmp any any By default, when hosts access a lower security interface, all traffic is allowed through. However, to access a higher security interface, you need the preceding access list.
Chapter 32 Monitoring and Troubleshooting Troubleshooting the Security Appliance Disabling the Test Configuration After you complete your testing, disable the test configuration that allows ICMP to and through the security appliance and that prints debug messages. If you leave this configuration in place, it can pose a serious security risk. Debug messages also slow the security appliance performance.
Chapter 32 Monitoring and Troubleshooting Troubleshooting the Security Appliance Password Recovery for the PIX 500 Series Security Appliance Performing password recovery on the security appliance erases the login password, enable password, and aaa authentication console commands. To erase these commands so you can log in with the default passwords, perform the following steps: Step 1 Download the PIX password tool from Cisco.com to a TFTP server accessible from the security appliance.
Chapter 32 Monitoring and Troubleshooting Troubleshooting the Security Appliance Cisco PIX password tool (4.0) #0: Tue Aug 22 23:22:19 PDT 2005 Flash=i28F640J5 @ 0x300 BIOS Flash=AT29C257 @ 0xd8000 Do you wish to erase the passwords? [yn] y Passwords have been erased. Rebooting.... Disabling Password Recovery You might want to disable password recovery to ensure that unauthorized users cannot use the password recovery mechanism to compromise the security appliance.
Chapter 32 Monitoring and Troubleshooting Troubleshooting the Security Appliance Viewing the Crash Dump If the security appliance crashes, you can view the crash dump information. We recommend contacting Cisco TAC if you want to interpret the crash dump. See the show crashdump command in the Cisco Security Appliance Command Reference. Common Problems This section describes common problems with the security appliance, and how you might resolve them.
Chapter 32 Monitoring and Troubleshooting Troubleshooting the Security Appliance Symptom Traffic does not pass between two interfaces on the same security level. Possible Cause You did not enable the feature that allows traffic to pass between interfaces on the same security level. Recommended Action Enable this feature according to the “Allowing Communication Between Interfaces on the Same Security Level” section on page 6-4.
Chapter 32 Monitoring and Troubleshooting Troubleshooting the Security Appliance Cisco Security Appliance Command Line Configuration Guide 32-14 OL-6721-01
A P P E N D I X A Feature Licenses and Specifications This appendix describes the feature licenses and specifications. This appendix includes the following sections: • Supported Platforms, page A-1 • Platform Feature Licenses, page A-1 • VPN Specifications, page A-4 Supported Platforms This software version supports the following platforms: • PIX 515/515E • PIX 525 • PIX 535 Platform Feature Licenses The following tables list the feature support for each platform license.
Appendix A Feature Licenses and Specifications Platform Feature Licenses Table A-1 PIX 500 Series Security Appliance License Features Platforms and Features Licenses PIX 515/515E1 R (Restricted) UR (Unrestricted) FO (Failover)2 FO-AA (Failover Active/Active)2 Security Contexts No support 2 Add-on license: 2 Add-on license: 2 Add-on license: VPN Peers 2000 IPSec 2000 IPSec 2000 IPSec 2000 IPSec Failover No support Active/Standby Active/Active Active/Standby Active/Standby Active/Activ
Appendix A Feature Licenses and Specifications Platform Feature Licenses Table A-1 PIX 500 Series Security Appliance License Features (continued) Platforms and Features Licenses Maximum VLANs 25 100 100 100 Concurrent Connections3 140 K 280 K 280 K 280 K 10 10 10 Max.
Appendix A Feature Licenses and Specifications VPN Specifications VPN Specifications This section describes the VPN specifications for the security appliance. This section includes the following topics: • Cisco VPN Client Support, page A-4 • Site-to-Site VPN Compatibility, page A-4 • Cryptographic Standards, page A-5 Cisco VPN Client Support The security appliance supports a wide variety of software and hardware-based Cisco VPN clients, as shown in Table A-2.
Appendix A Feature Licenses and Specifications VPN Specifications Cryptographic Standards The security appliance supports numerous cryptographic standards and related third-party products and services, including those shown in Table A-4.
Appendix A Feature Licenses and Specifications VPN Specifications Cisco Security Appliance Command Line Configuration Guide A-6 OL-6721-01
A P P E N D I X B Sample Configurations This appendix illustrates and describes a number of common ways to implement the security appliance, and includes the following topics: • Example 1: Multiple Mode Firewall With Outside Access, page 1 • Example 2: Single Mode Firewall Using Same Security Level, page 5 • Example 3: Shared Resources for Multiple Contexts, page 7 • Example 4: Multiple Mode, Transparent Firewall with Outside Access, page 11 For failover examples, see Chapter 11, “Failover Configu
Appendix B Sample Configurations Example 1: Multiple Mode Firewall With Outside Access Figure B-1 Example 1 Internet 209.165.201.1 Admin Context outside 209.165.201.2 customerA outside 209.165.201.3 customerB outside 209.165.201.4 customerC outside 209.165.201.5 inside 10.1.1.1 inside 10.1.2.1 inside 10.1.3.1 inside 10.1.4.1 Admin Network customerA Network 1 customerB Network DMZ 192.168.2.1 Websense 192.168.2.2 customerC Network 10.1.2.2 Management host 10.1.1.
Appendix B Sample Configurations Example 1: Multiple Mode Firewall With Outside Access hostname Farscape password passw0rd enable password chr1cht0n admin-context admin interface gigabitethernet 0 shutdown interface gigabitethernet 0.3 no shutdown interface gigabitethernet 1 no shutdown interface gigabitethernet 1.4 no shutdown interface gigabitethernet 1.5 no shutdown interface gigabitethernet 1.6 no shutdown interface gigabitethernet 1.7 no shutdown interface gigabitethernet 1.
Appendix B Sample Configurations Example 1: Multiple Mode Firewall With Outside Access nat (inside) 1 10.1.1.0 255.255.255.0 ! This context uses dynamic NAT for inside users that access the outside global (outside) 1 209.165.201.10-209.165.201.29 ! The host at 10.1.1.75 has access to the Websense server in Customer C, so ! it needs a static translation for use in Customer C’s access list static (inside,outside) 209.165.201.30 10.1.1.75 netmask 255.255.255.
Appendix B Sample Configurations Example 2: Single Mode Firewall Using Same Security Level Example 1: Customer C Context Configuration interface gigabitethernet 0.3 nameif outside security-level 0 ip address 209.165.201.5 255.255.255.224 no shutdown interface gigabitethernet 1.7 nameif inside security-level 100 ip address 10.1.4.1 255.255.255.0 no shutdown interface gigabitethernet 1.8 nameif dmz security-level 50 ip address 192.168.2.1 255.255.255.
Appendix B Sample Configurations Example 2: Single Mode Firewall Using Same Security Level Figure B-2 Example 2 Management Host 209.165.200.225 Internet 209.165.201.1 outside 209.165.201.3 Department 1 dept1 10.1.1.1 DMZ 192.168.2.1 Syslog Server 192.168.2.2 dept2 10.1.2.1 Department 2 10.1.2.2 Department 2 Network 2 126979 192.168.1.1 interface gigabitethernet 0 nameif outside security-level 0 ip address 209.165.201.3 255.255.255.
Appendix B Sample Configurations Example 3: Shared Resources for Multiple Contexts route outside 0 0 209.165.201.1 1 nat (dept1) 1 10.1.1.0 255.255.255.0 nat (dept2) 1 10.1.2.0 255.255.255.0 ! The dept1 and dept2 networks use PAT when accessing the outside global (outside) 1 209.165.201.9 netmask 255.255.255.255 ! Because we perform dynamic NAT on these addresses for outside access, we need to perform ! NAT on them for all other interface access.
Appendix B Sample Configurations Example 3: Shared Resources for Multiple Contexts Figure B-3 Example 3 Internet 209.165.201.2 Outside 209.165.201.3 Admin Context Inside 10.1.0.1 Outside 209.165.201.4 Department 2 Department 1 Shared 10.1.1.1 Config Server Admin Host 10.1.0.15 10.1.0.16 Inside 10.1.2.1 Outside 209.165.201.5 Inside 10.1.3.1 Shared 10.1.1.2 Shared 10.1.1.3 Inside Web Server 10.1.2.3 AAA Server 10.1.1.6 Mail Server 10.1.1.7 Syslog Server 10.1.1.
Appendix B Sample Configurations Example 3: Shared Resources for Multiple Contexts hostname Ubik password pkd55 enable password deckard69 admin-context admin interface gigabitethernet 0 no shutdown interface gigabitethernet 0.200 no shutdown interface gigabitethernet 1 shutdown interface gigabitethernet 1.201 no shutdown interface gigabitethernet 1.202 no shutdown interface gigabitethernet 1.300 no shutdown context admin allocate-interface gigabitethernet 0.200 allocate-interface gigabitethernet 1.
Appendix B Sample Configurations Example 3: Shared Resources for Multiple Contexts ! Because this host has management access to the servers on the Shared interface, it ! requires a static translation to be used in an access list static (inside,shared) 10.1.1.78 10.1.0.15 netmask 255.255.255.255 access-list SHARED remark -Allows only mail traffic from inside to exit shared interface access-list SHARED remark -but allows the admin host to access any server. access-list SHARED extended permit ip host 10.1.
Appendix B Sample Configurations Example 4: Multiple Mode, Transparent Firewall with Outside Access access-list MAIL extended permit tcp host 10.1.1.35 eq smtp host 10.1.1.7 eq smtp access-list MAIL extended permit tcp host 10.1.1.36 eq smtp host 10.1.1.7 eq smtp access-list MAIL extended permit tcp host 10.1.1.37 eq smtp host 10.1.1.7 eq smtp access-group MAIL out interface shared aaa-server AAA-SERVER protocol tacacs+ aaa-server AAA-SERVER (shared) host 10.1.1.
Appendix B Sample Configurations Example 4: Multiple Mode, Transparent Firewall with Outside Access Although inside IP addresses can be the same across contexts, keeping them unique is easier to manage. Figure B-4 Example 4 Internet 10.1.n.2 Admin Context outside customerA outside 10.1.1.1 10.1.2.1 inside customerC outside 10.1.3.1 inside 10.1.4.1 inside inside 10.1.1.3 10.1.2.3 10.1.3.3 10.1.4.3 192.168.1.1 192.168.2.1 192.168.3.1 192.168.4.
Appendix B Sample Configurations Example 4: Multiple Mode, Transparent Firewall with Outside Access hostname Farscape password passw0rd enable password chr1cht0n admin-context admin interface gigabitethernet 0 no shutdown interface gigabitethernet 0.150 no shutdown interface gigabitethernet 0.151 no shutdown interface gigabitethernet 0.152 no shutdown interface gigabitethernet 0.153 no shutdown interface gigabitethernet 1 shutdown interface gigabitethernet 1.4 no shutdown interface gigabitethernet 1.
Appendix B Sample Configurations Example 4: Multiple Mode, Transparent Firewall with Outside Access ip address 10.1.1.1 255.255.255.0 route outside 0 0 10.1.1.2 1 ssh 10.1.1.75 255.255.255.255 inside access-list OSPF remark -Allows OSPF access-list OSPF extended permit 89 any any access-group OSPF in interface outside Example 4: Customer A Context Configuration interface gigabitethernet 0.151 nameif outside security-level 0 no shutdown interface gigabitethernet 1.
Appendix B Sample Configurations Example 4: Multiple Mode, Transparent Firewall with Outside Access enable password treeh0u$e ip address 10.1.4.1 255.255.255.0 route outside 0 0 10.1.4.
Appendix B Sample Configurations Example 4: Multiple Mode, Transparent Firewall with Outside Access Cisco Security Appliance Command Line Configuration Guide B-16 OL-6721-01
A P P E N D I X C Using the Command-Line Interface This appendix describes how to use the CLI on the security appliance, and includes the following sections: Note • Firewall Mode and Security Context Mode, page C-1 • Command Modes and Prompts, page C-2 • Syntax Formatting, page C-3 • Abbreviating Commands, page C-3 • Command-Line Editing, page C-3 • Command Completion, page C-3 • Command Help, page C-4 • Filtering show Command Output, page C-4 • Command Output Paging, page C-5 • Addin
Appendix C Using the Command-Line Interface Command Modes and Prompts Command Modes and Prompts The security appliance CLI includes command modes. Some commands can only be entered in certain modes. For example, to enter commands that show sensitive information, you need to enter a password and enter a more privileged mode. Then, to ensure that configuration changes are not entered accidentally, you have to enter a configuration mode.
Appendix C Using the Command-Line Interface Syntax Formatting Syntax Formatting Command syntax descriptions use the following conventions: Table C-1 Syntax Conventions Convention Description bold Bold text indicates commands and keywords that you enter literally as shown. italics Italic text indicates arguments for which you supply values. [x] Square brackets enclose an optional element (keyword or argument).
Appendix C Using the Command-Line Interface Command Help Command Help Help information is available from the command line by entering the following commands: • help command_name Shows help for the specific command. • command_name ? Shows a list of arguments available. • string? (no space) Lists the possible commands that start with the string. • ? and +? Lists all commands available. If you enter ?, the security appliance shows only commands available for the current mode.
Appendix C Using the Command-Line Interface Command Output Paging Table C-2 Using Special Characters in Regular Expressions Character Type Character Special Meaning period . Matches any single character, including white space. asterisk * Matches 0 or more sequences of the pattern. plus sign + Matches 1 or more sequences of the pattern. 1 Matches 0 or 1 occurrences of the pattern. question mark ? caret ^ Matches the beginning of the input string.
Appendix C Using the Command-Line Interface Text Configuration Files Text Configuration Files This section describes how to format a text configuration file that you can download to the security appliance, and includes the following topics: • How Commands Correspond with Lines in the Text File, page C-6 • Command-Specific Configuration Mode Commands, page C-6 • Automatic Text Entries, page C-6 • Line Order, page C-7 • Commands Not Included in the Text Configuration, page C-7 • Passwords, page
Appendix C Using the Command-Line Interface Text Configuration Files Line Order For the most part, commands can be in any order in the file. However, some lines, such as ACEs, are processed in the order they appear, and the order can affect the function of the access list. Other commands might also have order requirements. For example, you must enter the nameif command for an interface first because many subsequent commands use the name of the interface.
Appendix C Using the Command-Line Interface Text Configuration Files Cisco Security Appliance Command Line Configuration Guide C-8 OL-6721-01
A P P E N D I X D Addresses, Protocols, and Ports This appendix provides a quick reference for IP addresses, protocols, and applications. This appendix includes the following sections: • IPv4 Addresses and Subnet Masks, page D-1 • IPv6 Addresses, page D-5 • Protocols and Applications, page D-11 • TCP and UDP Ports, page D-12 • Local Ports and Protocols, page D-14 • ICMP Types, page D-15 IPv4 Addresses and Subnet Masks This section describes how to use IPv4 addresses in the security appliance.
Appendix D Addresses, Protocols, and Ports IPv4 Addresses and Subnet Masks Classes IP host addresses are divided into three different address classes: Class A, Class B, and Class C. Each class fixes the boundary between the network prefix and the host number at a different point within the 32-bit address. Class D addresses are reserved for multicast IP. • Class A addresses (1.xxx.xxx.xxx through 126.xxx.xxx.xxx) use only the first octet as the network prefix. • Class B addresses (128.0.xxx.
Appendix D Addresses, Protocols, and Ports IPv4 Addresses and Subnet Masks You can also supernet multiple Class C networks into a larger network by using part of the third octet for the extended network prefix. For example, 192.168.0.0/20. This section includes the following topics: • Determining the Subnet Mask, page D-3 • Determining the Address to Use with the Subnet Mask, page D-3 Determining the Subnet Mask To determine the subnet mask based on how many hosts you want, see Table D-1.
Appendix D Addresses, Protocols, and Ports IPv4 Addresses and Subnet Masks Class C-Size Network Address For a network between 2 and 254 hosts, the fourth octet falls on a multiple of the number of host addresses, starting with 0. For example, the 8-host subnets (/29) of 192.168.0.x are as follows: Subnet with Mask /29 (255.255.255.248) Address Range1 192.168.0.0 192.168.0.0 to 192.168.0.7 192.168.0.8 192.168.0.8 to 192.168.0.15 192.168.0.16 192.168.0.16 to 192.168.0.31 … … 192.168.0.248 192.
Appendix D Addresses, Protocols, and Ports IPv6 Addresses IPv6 Addresses IPv6 is the next generation of the Internet Protocol after IPv4. It provides an expanded address space, a simplified header format, improved support for extensions and options, flow labeling capability, and authentication and privacy capabilities. IPv6 is described in RFC 2460. The IPv6 addressing architecture is described in RFC 3513.
Appendix D Addresses, Protocols, and Ports IPv6 Addresses Note Two colons (::) can be used only once in an IPv6 address to represent successive fields of zeros. An alternative form of the IPv6 format is often used when dealing with an environment that contains both IPv4 and IPv6 addresses. This alternative has the format x:x:x:x:x:x:y.y.y.
Appendix D Addresses, Protocols, and Ports IPv6 Addresses Global Address The general format of an IPv6 global unicast address is a global routing prefix followed by a subnet ID followed by an interface ID. The global routing prefix can be any prefix not reserved by another IPv6 address type (see IPv6 Address Prefixes, page D-10, for information about the IPv6 address type prefixes).
Appendix D Addresses, Protocols, and Ports IPv6 Addresses Unspecified Address The unspecified address, 0:0:0:0:0:0:0:0, indicates the absence of an IPv6 address. For example, a newly initialized node on an IPv6 network may use the unspecified address as the source address in its packets until it receives its IPv6 address. Note The IPv6 unspecified address cannot be assigned to an interface.
Appendix D Addresses, Protocols, and Ports IPv6 Addresses Figure D-1 IPv6 Multicast Address Format 128 bits 1111 1111 F F 8 bits 4 bits 4 bits Flag Scope 8 bits Interface ID Flag = 0 if permanent 1 if temporary 1 = node 2 = link Scope = 4 = admin 5 = site 8 = organization E = global 92617 0 IPv6 nodes (hosts and routers) are required to join the following multicast groups: • The All Nodes multicast addresses: – FF01:: (interface-local) – FF02:: (link-local) • The Solicited-Node Address
Appendix D Addresses, Protocols, and Ports IPv6 Addresses The following restrictions apply to anycast addresses: Note • An anycast address cannot be used as the source address for an IPv6 packet. • An anycast address cannot be assigned to an IPv6 host; it can only be assigned to an IPv6 router. Anycast addresses are not supported on the security appliance.
Appendix D Addresses, Protocols, and Ports Protocols and Applications Protocols and Applications Table D-4 lists the protocol literal values and port numbers; either can be entered in security appliance commands. Table D-4 Protocol Literal Values Literal Value Description ah 51 Authentication Header for IPv6, RFC 1826. eigrp 88 Enhanced Interior Gateway Routing Protocol. esp 50 Encapsulated Security Payload for IPv6, RFC 1827. gre 47 Generic Routing Encapsulation.
Appendix D Addresses, Protocols, and Ports TCP and UDP Ports TCP and UDP Ports Table D-5 lists the literal values and port numbers; either can be entered in security appliance commands. See the following caveats: • The security appliance uses port 1521 for SQL*Net. This is the default port used by Oracle for SQL*Net. This value, however, does not agree with IANA port assignments. • The security appliance listens for RADIUS on ports 1645 and 1646.
Appendix D Addresses, Protocols, and Ports TCP and UDP Ports Table D-5 Port Literal Values (continued) Literal TCP or UDP? Value Description h323 TCP 1720 H.
Appendix D Addresses, Protocols, and Ports Local Ports and Protocols Table D-5 Port Literal Values (continued) Literal TCP or UDP? Value Description sqlnet TCP 1521 Structured Query Language Network ssh TCP 22 Secure Shell sunrpc (rpc) TCP, UDP 111 Sun Remote Procedure Call syslog UDP 514 System Log tacacs TCP, UDP 49 Terminal Access Controller Access Control System Plus talk TCP, UDP 517 Talk telnet TCP 23 RFC 854 Telnet tftp UDP 69 Trivial File Transfer Protocol tim
Appendix D Addresses, Protocols, and Ports ICMP Types Table D-6 Protocols and Ports Opened by Features and Services (continued) Feature or Service Protocol Port Number Comments IPSec over UDP (Cisco VPN 3000 Series compatible) UDP 10000 Configurable. IPSec over TCP (CTCP) TCP — No default port is used. You must specify the port number when configuring IPSec over TCP. NTP UDP 123 — OSPF 89 N/A Protocol only open on destination IP address 224.0.0.5 and 224.0.0.
Appendix D Addresses, Protocols, and Ports ICMP Types Table D-7 ICMP Types (continued) ICMP Number ICMP Name 13 timestamp-request 14 timestamp-reply 15 information-request 16 information-reply 17 mask-request 18 mask-reply 31 conversion-error 32 mobile-redirect Cisco Security Appliance Command Line Configuration Guide D-16 OL-6721-01
G L O S S A RY Numerics 3DES See DES. A AAA Authentication, authorization, and accounting. See also TACACS+ and RADIUS. ABR Area Border Router. In OSPF, a router with interfaces in multiple areas. ACE Access Control Entry. Information entered into the configuration that lets you specify what type of traffic to permit or deny on an interface. By default, traffic that is not explicitly permitted is denied. Access Modes The security appliance CLI uses several command modes.
Glossary ARP Address Resolution Protocol. A low-level TCP/IP protocol that maps a hardware address, or MAC address, to an IP address. An example hardware address is 00:00:a6:00:01:ba. The first three groups of characters (00:00:a6) identify the manufacturer; the rest of the characters (00:01:ba) identify the system card. ARP is defined in RFC 826. ASA Adaptive Security Algorithm. Used by the security appliance to perform inspections.
Glossary certificate A signed cryptographic object that contains the identity of a user or device and the public key of the CA that issued the certificate. Certificates have an expiration date and may also be placed on a CRL if known to be compromised. Certificates also establish non-repudiation for IKE negotiation, which means that you can prove to a third party that IKE negotiation was completed with a specific peer. CHAP Challenge Handshake Authentication Protocol. CLI command line interface.
Glossary CTIQBE Computer Telephony Interface Quick Buffer Encoding. A protocol used in IP telephony between the Cisco CallManager and CTI TAPI and JTAPI applications. CTIQBE is used by the TAPI/JTAPI protocol inspection module and supports NAT, PAT, and bi-directional NAT. This enables Cisco IP SoftPhone and other Cisco TAPI/JTAPI applications to communicate with Cisco CallManager for call setup and voice traffic across the security appliance.
Glossary DN Distinguished Name. Global, authoritative name of an entry in the OSI Directory (X.500). DNS Domain Name System (or Service). An Internet service that translates domain names into IP addresses. DoS Denial of Service. A type of network attack in which the goal is to render a network service unavailable. DSL digital subscriber line. Public network technology that delivers high bandwidth over conventional copper wiring at limited distances.
Glossary F failover, failover mode Failover lets you configure two security appliances so that one will take over operation if the other one fails. The security appliance supports two failover configurations, Active/Active failover and Active/Standby failover. Each failover configuration has its own method for determining and performing failover. With Active/Active failover, both units can pass network traffic. This lets you configure load balancing on your network.
Glossary GSM Global System for Mobile Communication. A digital, mobile, radio standard developed for mobile, wireless, voice communications. GTP GPRS tunneling protocol. GTP handles the flow of user packet data and signaling information between the SGSN and GGSN in a GPRS network. GTP is defined on both the Gn and Gp interfaces of a GPRS network. H H.225 A protocol used for TCP signalling in applications such as video conferencing. See also H.323 and inspection engine. H.225.
Glossary I IANA Internet Assigned Number Authority. Assigns all port and protocol numbers for use on the Internet. ICMP Internet Control Message Protocol. Network-layer Internet protocol that reports errors and provides other information relevant to IP packet processing. IDS Intrusion Detection System. A method of detecting malicious network activity by signatures and then implementing a policy for that signature. IETF The Internet Engineering Task Force.
Glossary inspection engine The security appliance inspects certain application-level protocols to identify the location of embedded addressing information in traffic. This allows NAT to translate these embedded addresses and to update any checksum or other fields that are affected by the translation. Because many protocols open secondary TCP or UDP ports, each application inspection engine also monitors sessions to determine the port numbers for secondary channels.
Glossary IPSec IP Security. A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer. IPSec uses IKE to handle the negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPSec.
Glossary M mask A 32-bit mask that shows how an Internet address is divided into network, subnet, and host parts. The mask has ones in the bit positions to be used for the network and subnet parts, and zeros for the host part. The mask should contain at least the standard network portion, and the subnet field should be contiguous with the network portion. MCR See multicast.
Glossary N N2H2 A third-party, policy-oriented filtering application that works with the security appliance to control user web access. N2H2 can filter HTTP requests based on destination host name, destination IP address, and username and password. The N2H2 corporation was acquired by Secure Computing in October, 2003. NAT Network Address Translation. Mechanism for reducing the need for globally unique IP addresses.
Glossary OSPF Open Shortest Path First. OSPF is a routing protocol for IP networks. OSPF is a routing protocol widely deployed in large networks because of its efficient use of network bandwidth and its rapid convergence after changes in topology. The security appliance supports OSPF. OU Organizational Unit. An X.500 directory attribute. outbound Refers to traffic whose destination is on an interface with lower security than the source interface. outbound ACL An ACL applied to outbound traffic.
Glossary PKCS12 A standard for the transfer of PKI-related data, such as private keys, certificates, and other data. Devices supporting this standard let administrators maintain a single set of personal identity information. PNS PPTP Network Server. A PNS is envisioned to operate on general-purpose computing/server platforms. The PNS handles the server side of PPTP.
Glossary protocol, protocol literals A standard that defines the exchange of packets between network nodes for communication. Protocols work together in layers. Protocols are specified in a security appliance configuration as part of defining a security policy by their literal values or port numbers. Possible security appliance protocol literal values are ahp, eigrp, esp, gre, icmp, igmp, igrp, ip, ipinip, ipsec, nos, ospf, pcp, snp, tcp, and udp.
Glossary RLLA Reserved Link Local Address. Multicast addresses range from 224.0.0.0 to 239.255.255.255, however only the range 224.0.1.0 to 239.255.255.255 is available to us. The first part of the multicast address range, 224.0.0.0 to 224.0.0.255, is reserved and referred to as the RLLA. These addresses are unavailable. We can exclude the RLLA range by specifying: 224.0.1.0 to 239.255.255.255. 224.0.0.0 to 239.255.255.255 excluding 224.0.0.0 to 224.0.0.255. This is the same as specifying: 224.0.1.
Glossary S SA security association. An instance of security policy and keying material applied to a data flow. SAs are established in pairs by IPSec peers during both phases of IPSec. SAs specify the encryption algorithms and other security parameters used to create a secure tunnel. Phase 1 SAs (IKE SAs) establish a secure tunnel for negotiating Phase 2 SAs. Phase 2 SAs (IPSec SAs) establish the secure tunnel used for sending user data.
Glossary SIP Session Initiation Protocol. Enables call handling sessions, particularly two-party audio conferences, or “calls.” SIP works with SDP for call signaling. SDP specifies the ports for the media stream. Using SIP, the security appliance can support any SIP VoIP gateways and VoIP proxy servers. site-to-site VPN A site-to-site VPN is established between two IPSec peers that connect remote networks into a single VPN.
Glossary Static PAT Static Port Address Translation. Static PAT is a static address that also maps a local port to a global port. See also Dynamic PAT, NAT. subnetmask See mask. T TACACS+ Terminal Access Controller Access Control System Plus. A client-server protocol that supports AAA services, including command authorization. See also AAA, RADIUS. TAPI Telephony Application Programming Interface. A programming interface in Microsoft Windows that supports telephony functions.
Glossary transparent firewall A mode in which the security appliance is not a router hop. You can use transparent firewall mode to mode simplify your network configuration or to make the security appliance invisible to attackers. You can also use transparent firewall mode to allow traffic through that would otherwise be blocked in routed firewall mode. See also routed firewall mode.
Glossary V VLAN Virtual LAN. A group of devices on one or more LANs that are configured (using management software) so that they can communicate as if they were attached to the same physical network cable, when in fact they are located on a number of different LAN segments. Because VLANs are based on logical instead of physical connections, they are extremely flexible. VoIP Voice over IP. VoIP carries normal voice traffic, such as telephone calls and faxes, over an IP-based network.
Glossary X X.509 A widely used standard for defining digital certificates. X.509 is actually an ITU recommendation, which means that it has not yet been officially defined or approved for standardized usage. xauth See IKE Extended Authentication. xlate An xlate, also referred to as a translation entry, represents the mapping of one IP address to another, or the mapping of one IP address/port pair to another.
I N D EX inbound Symbols 15-1 IP address guidelines /bits subnet masks D-3 IPSec ? 23-13 logging command string help C-4 13-20 NAT addresses C-4 object groups outbound remarks A 13-7 13-19 15-1 13-20 active state, failover accounting pool, configuring 26-2 authentication range, subnets network access downloadable ACLs overview 16-7 changing 5-5 overview 1-5, 3-1 alternate address, ICMP message 10-8 23-3 D-15 application inspection 10-1 performance D-4 Advanced Encrypt
Index authentication FTP certificate group matching configuring 16-2 HTTP rule and policy, creating 16-2 network access overview Telnet See CRLs certification authority 16-2 See CA 16-4 authorization changing between contexts network access overview application inspection 10-2 B Class A, B, and C addresses D-2 classification policy, traffic 20-3 20-6 abbreviating commands adding comments 13-3 command output paging BPDUs displaying 13-12 help bridge entry timeout C-5 broadcast
Index configuration mode accessing prompt delay-sensitive traffic, priority deny flows, logging 2-2 IKE policy keywords (table) resource usage addressing, configuring conversion error, ICMP message crash dump relay D-16 crypto map configuring 23-13 applying to interfaces Group 5 DMZ, definition 23-4 1-1 DNS NAT effect on 23-14 domain name 23-12 crypto show commands CTIQBE 23-4 groups supported 27-6 13-3 Diffie-Hellman 23-12 23-12 policy 27-7 23-18 examples 8-24 transparent
Index enable stateful failover accessing overview 2-2 Entrust 11-13 state information CA server support state link 30-4 ESP security protocol established command security level requirements 11-4 system messages 23-2 6-2 EtherType testing 11-41 triggers 11-8 unit health assigned numbers fast path 11-43 11-14 verifying 13-12 11-13 11-32 1-4 filtering F security level requirements servers supported failover actions active state URLs 11-6 replication terminal messages 1
Index H.
Index overview login 23-3 policies, configuring FTP 23-4 See also IKE 16-2 local user 31-6 low-latency queue applying J Java applets filtering 20-2 20-9 M 17-2 MAC addresses, failover 11-6 MAC address table K entry timeout 22-3 MAC learning, disabling Kerberos configuring support overview 10-11 12-12 static entry 10-7 22-4 22-3 MAC learning, disabling 22-4 management IP address, transparent firewall L man-in-the-middle attack LAN-to-LAN tunnel group, configuring latency
Index MPLS LDP policy NAT router-id TDP overview 13-12 14-9 port redirection 13-12 14-34 same security level 13-12 multicast traffic 14-12 security level requirements 12-9 multiple mode, enabling 3-10 static NAT configuring overview N 6-2 14-25 14-7 static PAT configuring N2H2 filtering server supported overview 17-4 URL for website 17-4 naming an interface 6-3 14-7 transparent firewall types 12-11 14-5 NAT-T NAT enabling IPSec over NAT-T bypassing NAT configuration over
Index dead interval 8-8 default route 8-13 peers alerting before disconnecting displaying update packet pacing enabling PKI protocol 8-8 link-state advertisement 8-4 logging neighbor states 8-14 MD5 authentication flow within a tunnel QoS 8-8 policy, QoS use in QoS 8-5 route calculation timers 20-6 20-7 policy NAT 8-13 dynamic, configuring 8-6 route summarization inspection engines 8-12 overview 8-10 summary route cost outbound ACLs 20-1 defining for QoS redistributing rout
Index privileged mode accessing prompt R 2-2 RADIUS C-2 privilege level user, setting 25-27 10-11 downloadable ACLs 16-8 network access authentication prompts command more configuring a server network access authorization C-2 support C-5 protocol numbers and literal values D-11 RAS rate limiting 21-43 public key cryptography 30-1 21-29 20-6 reboot, waiting until active sessions end redirect, ICMP message D-15 Registration Authority QoS (definition) action description 20-1 con
Index routing configuration OSPF files 8-16 other protocols RIP 3-2 URL, changing 13-3 URL, setting 8-17 RS-232 cable logging in See failover 5-6 5-3 3-10 mapped interface name 11-4 RSA 5-2 multiple mode, enabling nesting or cascading KEON CA server support overview 30-4 keys prompt generating 30-5, 31-2 signatures IKE authentication method 30-2 3-10 3-9 3-1 C-2 reloading 5-7 removing 5-5 unsupported features VLAN allocation 3-2 5-2 See ASA S serial cable same sec
Index SSH T authentication 31-5 concurrent connections login 31-2 TACACS+ configuring a server 31-3 10-11 RSA key 31-2 network access authorization username 31-3 support standby state, failover startup configuration ports and literal values stateful inspection 1-4 state information 11-13 disabling routed mode 11-4 authentication 22-2 static bridge entry test 31-1 11-15 testing configuration See NAT 33-4 time exceeded, ICMP message static PAT D-15 time ranges See NAT AC
Index overview 22-1 static entry data flow U 22-2 UDP 12-12 DHCP packets, allowing guidelines HSRP ports and literal values 12-10 management IP address multicast traffic prompt 22-3 MAC learning, disabling context configuration, setting filtering 22-3 17-7 user 33-2 attributes, configuring troubleshooting configuring 21-28 definition 25-27 25-1 password, setting 30-3 25-28 25-26 configuring specific 21-29 21-46 25-27 privilege level, setting tunnel IPSec 5-3 17-4 filte
Index VoIP proxy servers troubleshooting 21-43 21-28 VPN Client, IPSec attributes 23-2 parameters, general, setting 24-1 setting maximum number of IPSec sessions VRRP 24-2 12-9 W web clients secure authentication 16-4 Cisco Security Appliance Command Line Configuration Guide OL-6721-01 IN-13
Index Cisco Security Appliance Command Line Configuration Guide IN-14 OL-6721-01
